- NordVPN detected adware campaigns across 50,000 websites
- The malware collects very specific device data to profile and track you
- The adware can detect and bypass ad blockers with domains that change daily
Who doesn’t love a free movie? Unfortunately, a recently disclosed cyber threat proves the old adage to be true: If the product is free, you are the product. NordVPN’s Threat Intelligence team has uncovered a highly sophisticated adware campaign that has successfully infected at least 50,000 active websites, turning the hunt for free content into a cybersecurity minefield.
The campaign specifically targets high-risk corners of the internet, including illegal streaming platforms, torrent portals, underground forums and adult websites.
When a user lands on an infected page, the adware — a type of malware that hides behind online ads — deploys invasive tracking scripts to build a persistent profile of the user’s device, collecting data ranging from their hardware specs to whether they use a crypto wallet.
“If you’re not paying for a product, you’re often the product,” says Marijus Briedis, CTO at NordVPN, explaining that what looks like a free stream or download can quickly become a gateway to tracking, fraud, and malware.
According to NordVPN, the scale of the threat is huge. Every single month, hundreds of thousands of the company’s users encounter infection attempts linked directly to this specific adware kit.
How the adware campaign works
The operation works by loading a hidden JavaScript tag the moment a real person visits an infected website. To ensure maximum profit, the adware uses a fingerprint module to build a persistent visitor ID stored directly on your device, allowing operators to track you without using traditional cookies.
The sheer amount of data collected by this script is staggering. It examines your CPU cores, RAM, operating system and installed plugins.
But it goes further than standard tracking. The adware actively hunts for browser-injected crypto wallet tools like MetaMask, checks for motion signals like accelerometer and gyroscope availability, and even uses favicon checks to find out if you’re logged into YouTube.
This very specific profile is then likely sold to third parties or used to target you with customized scams.
“This campaign shows how cybercriminals turn users’ attention, personal data and risky browsing habits into revenue on an industrial scale,” said Briedis.
Perhaps the most alarming aspect of this adware is how aggressively it hijacks your browsing experience.
You don’t even have to click on a display ad to become a victim. Simply clicking on a plain, non-advertising part of the infected web page can trigger a redirect that immediately sends you to phishing campaigns, malware download sites, or push subscription traps.
If you think your current ad blocker is enough to keep you safe, think again. The adware actively detects when the filtering protection is running in your browser. If it detects an ad blocker, it switches to a proxy bypass mechanism, called “adblock-proxy-super-secret” by its creators, which generates at least three brand new domains every 24 hours.
This constant shift allows the malware to effortlessly evade default security blocklists. It even hides its malicious behavior if it detects a search engine bot, ensuring that the infected pirate websites look completely harmless to Google.
How to stay safe
To protect your digital life, NordVPN’s CTO Marijus Briedis recommends taking the following precautions:
- Avoid “free” premium content: Stay away from piracy and illegal streaming sites as these environments are hotbeds for adware and phishing.
- Use tracking protection: Using reputable ad and tracking blockers restricts malicious scripts from running in your browser.
- Decline push notifications: If a sketchy website asks for permission to send you messages, decline the request immediately.
- Update your software: Keep your browser and security tools up to date to ensure they can catch the latest malicious scripts and deceptive redirects.



