- NordVPN discovered a sophisticated adware campaign operating across more than 50,000 websites.
- The malware collects detailed device information to create persistent user profiles.
- Victims can be redirected to phishing pages or malware without clicking on advertisements.
- Avoiding pirate sites, blocking trackers, rejecting browser notifications, and updating software can reduce the risk.
A new investigation by NordVPN has revealed one of the largest adware campaigns seen in recent years, exposing a sophisticated operation that has infected more than 50,000 active websites. The campaign primarily targets users visiting illegal streaming platforms, torrent portals, adult websites, and underground forums, where cybercriminals quietly collect sensitive device information while redirecting visitors to scams and malware.
According to NordVPN’s Threat Intelligence team, the operation is affecting hundreds of thousands of users every month. What appears to be a harmless attempt to stream a movie or download free content can quickly turn into a serious privacy and security risk.
Hidden tracking goes far beyond ordinary advertising
Unlike traditional online advertisements, this campaign relies on a concealed JavaScript component that activates as soon as a real visitor opens an infected webpage. The script creates a detailed fingerprint of the device, allowing attackers to identify and track users even without relying on browser cookies.
The information collected is surprisingly detailed. The adware records processor information, available memory, operating system, browser plugins, and several other technical characteristics that help build a persistent digital profile.
Researchers also found that the malware searches for cryptocurrency wallet extensions such as MetaMask. It checks whether sensors like the accelerometer and gyroscope are available on a device and even performs favicon based checks to determine if a user is currently logged into YouTube.
This extensive fingerprinting allows cybercriminals to deliver highly targeted scams while potentially selling valuable user profiles to third parties for advertising or fraudulent activities.
NordVPN says the campaign demonstrates how cybercriminals have transformed risky browsing habits into a profitable business by monetizing user data on a massive scale.
Simple clicks can trigger malware and phishing attacks
One of the most concerning aspects of this campaign is that users do not need to interact with advertisements to become victims.
Researchers found that simply clicking on an ordinary section of an infected webpage can trigger an automatic redirect. Victims may suddenly land on phishing pages, fake software download websites, malicious browser notification prompts, or pages attempting to install malware.
The campaign also includes advanced techniques to avoid detection. Instead of relying on fixed domains that security companies can block, the operators continuously generate new domains every day. This rotating infrastructure allows the malicious scripts to bypass many traditional ad blockers and browser protection tools.
The malware can even detect when visitors are using ad blocking software. Once detected, it switches to alternative delivery methods that help it continue displaying malicious content while avoiding common filter lists.
To make matters worse, the campaign hides its malicious behaviour when search engine crawlers visit infected websites. This tactic helps pirate sites appear legitimate in search results while continuing to target real users.
How users can reduce their risk
NordVPN advises internet users to avoid websites offering pirated movies, TV shows, premium software, or other illegal content, as these platforms frequently become distribution points for adware, malware, and phishing campaigns.
Using trusted browser security tools and tracker blocking solutions can help reduce exposure to malicious scripts. Users should also refuse browser notification requests from unfamiliar websites, since these permissions are often abused to deliver spam and scams long after leaving the site.
Keeping browsers, operating systems, and security software updated is equally important. Regular updates include protections against newly discovered exploits and malicious scripts that older versions may fail to detect.
The latest findings serve as another reminder that free online content often comes with hidden costs. While users may believe they are saving money, they could instead be exposing their personal data, devices, and online accounts to sophisticated cybercriminal operations designed to profit from every visit.
Follow TechBSB For More Updates
