The Nomani scam typically begins with fraudulent advertisements on social media platforms such as Facebook, Messenger, and Threads.
These deceptive ads often target individuals who have fallen victim to previous scams. Scammers exploit the names and branding of organizations like Europol and INTERPOL, falsely claiming they can assist victims in recovering lost funds.
How Malicious Ads Are Spread
Cybercriminals distribute these ads through a combination of fake accounts and hacked profiles. These compromised profiles often belong to small businesses, government organizations, or micro-influencers with sizable followings, making the scams appear more credible.
In addition to using social media ads, the attackers post fake positive reviews on Google to further establish a sense of legitimacy.
Research from ESET highlights that many of these distributing accounts are either newly created with generic names, minimal activity, and few followers, or they are stolen legitimate profiles. Eset Threat Report
Phishing Websites as a Key Tool
When victims interact with the fraudulent ads, they are redirected to phishing websites designed to steal sensitive personal information. These websites are highly deceptive and commonly:
Imitate local news websites to appear trustworthy.
Misuse logos and branding from legitimate organizations.
Promote fraudulent cryptocurrency platforms under ever-changing names, such as Quantum Bumex, Immediate Mator, or Bitcoin Trader.
From Data Theft to Financial Exploitation
The phishing websites serve as the first stage of the scam, collecting victims’ contact details. Using this information, scammers reach out directly via phone calls and employ persuasive social engineering tactics to:
Convince victims to invest in fake platforms that promise unrealistic returns.
Encourage victims to take loans under the guise of increasing their investments.
Trick victims into installing remote access software, granting attackers access to sensitive data and systems.
As victims attempt to withdraw their supposed profits, the scam escalates. Fraudsters demand additional payments and request even more personal data, including identification documents and credit card information. At this point, victims not only lose their money but also compromise their private information. This approach mirrors tactics used in “pig butchering” scams.
Who Is Behind the Nomani Operation?
Evidence points to Russian-speaking cybercriminals as the key perpetrators of the Nomani scam. Indicators supporting this conclusion include:
Source code comments written in Cyrillic script.
The use of Yandex tools for monitoring website visitors.
The scale and structure of the Nomani operation resemble large-scale cybercrime networks, such as Telekopye. In these campaigns, different groups specialize in specific tasks, such as:
Hijacking and exploiting Meta accounts to distribute fraudulent ads.
Developing complex phishing websites and infrastructure.
Running call centers to manipulate victims directly.
Global Fraud Patterns: Insights from South Korea’s MIDAS Operation
The Nomani scam aligns with broader global fraud trends. For example, South Korean authorities recently dismantled the MIDAS operation, which defrauded victims of approximately $6.3 million through fake online trading platforms.
Key details from the MIDAS case include:
Victims were recruited via SMS, phone calls, and YouTube videos, as well as engagement in KakaoTalk chat rooms.
Fraudulent trading platforms connected to real brokerage servers to display authentic stock prices and charts, creating the illusion of legitimacy.
Rather than enabling trades, these programs used screen-capturing tools to steal sensitive data and block withdrawal attempts.
The MIDAS case illustrates how cybercriminals blend authentic-looking tools with malicious intentions—a strategy similar to the Nomani campaign.
Protecting Yourself from Scams Like Nomani
To safeguard against scams of this nature, consider the following steps:
1) Be Cautious of Unrealistic Promises: Avoid interacting with ads that claim high investment returns or promise recovery of lost funds.
2) Verify Websites and Apps: Use official company websites rather than clicking on links shared through ads or messages. Always check domain names for signs of phishing.
3) Avoid Remote Access Requests: Never install remote access tools unless instructed to do so by trusted IT professionals or verified platforms.
4) Report Suspicious Activity: Report fraudulent ads, phishing emails, and scam platforms to the relevant social media platforms and cybersecurity authorities.
5) Enhance Your Online Security: Enable two-factor authentication (2FA) on your accounts and use reliable antivirus software to protect your devices from malware.
6) By staying vigilant and adopting these precautions, individuals can reduce their risk of falling victim to sophisticated scams like Nomani.
