Hundreds of thousands at risk as Nord VPN uncovers sophisticated adware campaign hidden in 50,000 pirate sites | Tech Radar
Overview
News, deals, reviews, guides and more on the newest computing gadgets
Start exploring exclusive deals, expert advice and more
Details
Unlock and manage exclusive Techradar member rewards.
Unlock instant access to exclusive member features.
Get full access to premium articles, exclusive features and a growing list of member rewards.
Hundreds of thousands at risk as Nord VPN uncovers sophisticated adware campaign hidden in 50,000 pirate sites
A highly sophisticated adtech operation is tracking users, stealing device data, and pushing malware on illegal streaming and torrent sites
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
Nord VPN discovered adware campaign operating across 50,000 websites
The malware collects highly specific device data to profile and track you
The adware can detect and bypass ad blockers with domains that change daily
Who doesn't love a free movie? Unfortunately, a recently uncovered cyber threat is proving the old adage true: if the product is free, you are the product. Nord VPN’s Threat Intelligence team has exposed a highly sophisticated adware campaign that has successfully infected at least 50,000 active websites, turning the hunt for free content into a cybersecurity minefield.
The campaign is specifically targeting high-risk corners of the internet, including illegal streaming platforms, torrent portals, underground forums, and adult websites.
Once a user lands on an infected page, the adware — a type of malware that hides behind online ads — deploys invasive tracking scripts to build a persistent profile of the user's device, harvesting data that ranges from their hardware specs to whether they use a crypto wallet.
"If you’re not paying for a product, you are often the product," says Marijus Briedis, CTO at Nord VPN, explaining that what looks like a free stream or download can quickly become a gateway to tracking, scams, and malware.
According to Nord VPN, the scale of the threat is immense. Every single month, hundreds of thousands of the company's users encounter infection attempts tied directly to this specific adware kit.
This legit-looking software is actually antivirus-killing adware
Android users beware — this huge fraud scam campaign hit millions of victims around the world
Huge hacking campaign uses spoofed Ghidra, dn Spy, and Spider Foot security tools to harvest ad revenue and serve malware
The operation works by loading a hidden Java Script tag the moment a real person visits an infected website. To ensure maximum profit, the adware utilizes a fingerprinting module to build a persistent visitor ID stored directly on your device, allowing operators to track you even without using traditional cookies.
The sheer volume of data collected by this script is staggering. It scopes out your CPU cores, RAM, operating system, and installed plugins.
But it goes further than standard tracking. The adware actively hunts for browser-injected crypto wallet tools like Meta Mask, checks for motion signals like accelerometer and gyroscope availability, and even uses favicon checks to figure out if you are logged into You Tube.
This highly specific profile is then likely sold to third parties or used to target you with customized scams.
"This campaign shows how cybercriminals turn user attention, personal data, and risky browsing habits into revenue at industrial scale," said Briedis.
Experts warn hackers are hiding malware inside Google's own ad systems — here's what we know
Popular free VPN, streaming apps bombard business networks with 'laundered' traffic
Looking for a job at Meta, Disney, and Spotify? It could be a scam, Nord VPN warns
Perhaps the most alarming aspect of this adware is how aggressively it hijacks your browsing experience.
If you think your current ad blocker is enough to keep you safe, think again. The adware actively detects when filtering protections are running in your browser. If it spots an ad blocker, it switches to a proxy bypass mechanism, dubbed "adblock-proxy-super-secret" by its creators, which generates at least three brand new domains every 24 hours.
This constant shifting allows the malware to effortlessly dodge standard security blocklists. It even hides its malicious behavior if it detects a search engine bot, ensuring the infected pirate sites look completely harmless to Google.
To protect your digital life, Nord VPN's CTO Marijus Briedis recommends taking the following precautions:
Avoid "free" premium content: Stay away from piracy and illegal streaming sites, as these environments are hotbeds for adware and phishing.
Use tracker protections: Employing reputable ad and tracker blockers limits malicious scripts from executing in your browser.
Reject push notifications: If a sketchy website asks for permission to send you notifications, deny the request immediately.
Update your software: Keep your browser and security tools up to date to ensure they can catch the latest malicious scripts and deceptive redirects.
Rene Millman is a seasoned technology journalist whose work has appeared in The Guardian, the Financial Times, Computer Weekly, and IT Pro. With over two decades of experience as a reporter and editor, he specializes in making complex topics like cybersecurity, VPNs, and enterprise software accessible and engaging.
You must confirm your public display name before commenting
1 Hundreds of thousands at risk as Nord VPN uncovers sophisticated adware campaign hidden in 50,000 pirate sites
2 Brazil fans, there's no need to settle for ITV's low res coverage of World Cup 2026 – try Brazil vs Japan in glorious 4K instead, and with the commentary in Portuguese!
3A classic piece of tech is becoming redundant: BBC waves bye-bye to its Long Wave broadcasts
4 Enhance your cloud backup with p Cloud Lifetime plans, which are currently up to 70% off for 4th of July — get up to 10TB of secure storage with free Zero-Knowledge encryption
5 The Steam Machine is overpriced yet it's sold out already in Japan — but be careful about buying a cheap clone
Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.
Key Takeaways
- News, deals, reviews, guides and more on the newest computing gadgets
- Start exploring exclusive deals, expert advice and more
- Unlock and manage exclusive Techradar member rewards
- Unlock instant access to exclusive member features
- Get full access to premium articles, exclusive features and a growing list of member rewards



