Skip to main content

Ad Platform Scanners

Chainara continuously scans the major paid-ad networks for crypto scams and pushes findings into the threat feed alongside the rest of your intelligence. Scams that show up as advertisements (recovery scams, fake exchanges, deepfake exec impersonations, pig-butchering lures) are typically caught here days before they appear in user reports.

Coverage

Four ad platforms are scanned today, each with a scorer tuned to that platform's specific scam profile:

PlatformSurface scannedCommon scam types found
Meta Ad LibraryFacebook, Instagram, Messenger, Audience NetworkRecovery scams, fake giveaways, pig-butchering lure pages, deepfake celebrity endorsements
Bing AdsMicrosoft Advertising network (Bing search, Edge new tab, MSN)Exchange phishing (e.g. fake MEXC), recovery-scam lead-gen, hijacked-account ads (display URL ≠ destination URL)
Google Ads TransparencyYouTube pre-roll + Google Search adsYouTube deepfake exec impersonation, scam landing pages bought against legitimate brand keywords
LinkedIn AdsLinkedIn sponsored contentRecovery scams targeting professionals, unregistered securities, pig-butchering lures themed around professional networking

How a finding becomes intelligence

Every ad scanner runs the same multi-stage pipeline before publishing anything to the platform:

What this means for you in practice:

  • Findings are pre-filtered. Ads that aren't crypto-related, or that match known-legitimate domains, never reach your feed. False-positive rates are tuned per platform.
  • Findings flow through the same pipeline as everything else. Each detection generates a fraud report (visible in Fraud Intelligence) and a domain alert. Webhooks fire just like any other indicator.
  • Each ad scanner is dedup'd. The same ad is never re-published if it surfaces in multiple campaign sweeps.

What a finding looks like

Detections show up as fraud reports with a source identifying the originating platform (meta_ad_scanner, bing_ad_scanner, google_ads_transparency_scanner, linkedin_ad_scanner). Each report includes:

  • The ad's destination URL and any redirect chain
  • The advertiser identity, where the platform exposes it
  • Extracted wallet addresses if the landing page contains them
  • Creative metadata (image hashes, ad copy, languages targeted)
  • A confidence score and the signals that fired

Like any fraud report, you can filter the Fraud Intelligence feed by source to focus on a single platform, and you can subscribe to webhook deliveries scoped to ad-scanner findings.

Platform-specific notes

Meta Ad Library

The longest-running scanner. Supports keyword exact-phrase matching and page-pivot (find every ad currently active for a Page that has run a confirmed scam). Recovery-scam ads with no external destination (the scam happens via DM after a comment) require ≥0.75 confidence to flag, which prevents noise from legitimate community Pages.

Bing Ads

The scorer looks for hijacked accounts, where the display URL points at a legitimate brand but the actual destination is a phishing domain, alongside the standard signal set. This catches a class of scam common on Microsoft Advertising: fake exchange sign-up pages and recovery-scam landing pages that sit behind brand-impersonating display URLs.

Covers two surfaces: YouTube pre-roll ads and Google Search ads. The scorer includes a deepfake signal that fires when an ad uses an executive's name (Brad Garlinghouse, Vitalik Buterin, etc.) outside a verified channel, a common pattern for video-impersonation scams.

LinkedIn Ads

Tuned for LinkedIn's specific threat profile: the scorer weights recovery scams heavily (LinkedIn is a primary surface for them), along with unregistered securities pitches and executive impersonation targeting professional audiences.

Subscribing to ad-scanner findings

There is no separate subscription for ad scanners. Findings flow through the standard fraud-report and domain-alert pipelines. To route them to a dedicated channel:

  1. Subscribe to the relevant webhook events (indicator_added, takedown_submitted)
  2. Filter on the source field of the delivered payload (e.g. meta_ad_scanner)
  3. Route to a Slack channel, Tines story, or SIEM tag of your choice

See the Integration Guide for the full webhook subscription flow.