Global TikTok Scam Uses AI to Spread Malware, Steal Crypto

A newly uncovered cybercrime campaign targets TikTok Shop users with a combination of phishing attacks, fake ads, and malware-laced applications, aiming to steal credentials and cryptocurrency from victims worldwide.

Cybersecurity researchers at Bahrain-based CTM360 have dubbed the operation ClickTok, noting that the threat actors are exploiting the popularity and trust in TikTok’s e-commerce platform through a deceptive, multi-layered strategy.

“Threat actors are exploiting the official in-app e-commerce platform through a dual attack strategy that combines phishing and malware to target users,” CTM360 said. “The core tactic involves a deceptive replica of TikTok Shop that tricks users into thinking theyʼre interacting with a legitimate affiliate or the real platform.”

AI-Generated Content Used to Mimic Influencers

At the heart of the campaign is the use of artificial intelligence to create deepfake-style videos that appear to feature authentic influencers or official TikTok brand ambassadors. These videos are disseminated widely through Facebook and TikTok ads, driving unsuspecting users to fraudulent websites designed to look like the official TikTok Shop.

CTM360 reports that more than 15,000 lookalike domains have been created to support the scam, with most hosted on generic top-level domains such as .top, .shop, and .icu. These sites either steal login credentials or prompt users to download malware disguised as a legitimate TikTok Shop app.

Malware Targeting Mobile Users on Android and iOS

Victims who install the malicious application unknowingly activate a cross-platform malware variant known as SparkKitty, which can operate on both Android and iOS devices. Once installed, the app captures credentials, uses optical character recognition to scan screenshots for cryptocurrency wallet seed phrases, and sends the harvested information to servers controlled by the attackers.

In one scenario described by researchers, users are tricked into entering their email login credentials. When these appear to fail, the app prompts users to log in with their Google account, likely as a method to bypass traditional authentication and obtain session tokens without requiring additional validation.

Deceptive Tactics to Extract Cryptocurrency

In addition to credential theft, the campaign includes tactics that encourage users to deposit cryptocurrency into fake TikTok Shop storefronts. These fake shops advertise heavily discounted items, luring victims with unbeatable deals.

The attackers also impersonate TikTok’s affiliate program, persuading creators to fund fake wallets with cryptocurrency to earn commissions or bonuses that never materialize.

CTM360 Identifies Broader Phishing Activity

Alongside ClickTok, CTM360 also revealed details about CyberHeist Phish, a separate but equally sophisticated phishing campaign. This effort uses Google Ads and a vast network of phishing pages that mimic corporate banking portals to harvest sensitive financial credentials.

“This phishing operation is particularly sophisticated due to its evasive, selective nature and the threat actors’ real-time interaction with the target to collect two-factor authentication on each login stage, beneficiary creation, and fund transfer,” the company said.

Growing Threat Landscape Targets Business and Financial Infrastructure

The report also references the Meta Mirage campaign, another phishing operation aimed at Meta Business Suite users. That campaign relies on fake violation notices and account restriction messages sent through email and direct messages, luring users to malicious login pages hosted on cloud platforms such as GitHub Pages, Firebase, and Netlify.

“This campaign focuses on compromising high-value business assets, including ad accounts, verified brand pages, and administrator-level access within the platform,” CTM360 added.

FinCEN Issues Advisory on Crypto Abuse

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has issued an advisory urging financial institutions to monitor suspicious activity involving convertible virtual currency kiosks. The agency warned that criminals increasingly exploit these kiosks to move stolen funds.

“Criminals are relentless in their efforts to steal money from victims, and they’ve learned to exploit innovative technologies like CVC kiosks,” said FinCEN Director Andrea Gacki. “The United States is committed to safeguarding the digital asset ecosystem for legitimate businesses and consumers, and financial institutions are a critical partner in that effort.”