Cryptocurrency and financial traders deepfake (Feb 2025)

A new wave of cyberattacks uses AI-generated deepfake videos featuring a synthetic persona ("Thomas Harris" or "Thomas Roberts") to instruct viewers to execute a PowerShell command. This command downloads a malicious script that deploys either Lumma Stealer (to harvest cryptocurrency wallets and browser credentials) or NetSupport RAT (to grant full system control). The deepfakes use procedural details and mimic authentic TradingView workflows. Attackers used compromised YouTube channels with significant subscriber bases and YouTube's sponsored ad system.