Facebook sues Chinese ad company over alleged hacking campaign

Facebook accuses two Chinese citizens of hacking people's accounts and using the victims' money to run fraudulent ads.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

Hackers spent at least $4 million from compromised ads accounts on Facebook, according to the company.

Angela Lang/CNET

Facebook filed a lawsuit Wednesday against two Chinese citizens, accusing them of operating a hacking campaign targeting ad accounts on the social network. 

Hackers have increasingly been going after Facebook ad accounts, using their victims' credit cards to promote posts for fraudulent products, or in some cases spreading malware. In November, CNET reported on a case in which hackers tried to spend $10,000 per day using one victim's ads account.  

In Facebook's lawsuit, the tech giant alleges that Chen Xiao Cong, a Chinese software developer, and Huang Tao, a marketing director for the company GuangZhou HongYi Technology, were behind a similar hacking campaign starting in 2016. The lawsuit is also filed against the company ILikeAds, a Hong Kong based advertising business that promoted itself as a "one-stop comprehensive solution to advertisers." 

The two alleged hackers would take over their victims' accounts and use the victims' money to buy ads for fraudulent products like diet pills, male enhancement supplements and counterfeit goods, according to the lawsuit. Facebook said it's paid more than $4 million in reimbursements to victims of these hacks.  

The defendants couldn't be reached for comment. 

According to the lawsuit, Cong developed malware meant for browser extensions, which was then shared on forums and websites. Court documents allegedly show Cong posting on forums and offering to pay people to include the malware in extensions, writing, "We need a lot of US installations." 

Malicious extensions would steal Facebook login information and were designed to disable a victims' account security notifications, according to the lawsuit. The malware also probed victims' accounts to see if they'd run ads in the past, how much they'd paid and what any balance on an accounts was. 

If the hacked Facebook account had run ads, it would likely have a credit card saved on it. The alleged hackers used their victims' money to pay for deceptive ads. 

A Facebook spokesperson said this hacking campaign is different from the one CNET reported on in November, where the ads led to pages with malware designed to steal credit card information. 

Facebook said it's notified hundreds of thousands of people since April that their accounts were compromised. 

Facebook is also accusing the two Chinese citizens of "cloaking," a technique shady advertisers use to disguise links on the social network to avoid triggering its ad reviews process.  

The alleged hackers had spent at least $4 million from Facebook ads accounts between 2016 and 2019, according to the company. 

"To protect Facebook users and disrupt these types of schemes, we will continue our work to detect malicious behavior directed towards our platform and enforce against violations of our Terms and Policies," Facebook's Jessica Romero, director of platform enforcement and litigation, and Rob Leathern, director of product management, said in a statement. "Creating real world consequences for those who deceive users and engage in cloaking schemes is important in maintaining the integrity of our platform."