Facebook is suing a Hong Kong–based company and two Chinese citizens it says used malware to compromise user accounts in order to run millions of dollars of deceptive Facebook ads that often featured celebrities.

The company filed the federal lawsuit Thursday in California against ILikeAd Media International Company, Chen Xiao Cong, and Huang Tao. Facebook alleges that Cong, of Wuhan, Hubei province, China, developed the malware, while Tao, who is based in Guangzhou, Guangdong province, China, was responsible for the “distribution and installation of the malicious extension.”

Rob Leathern, Facebook’s director of product management for business integrity, told BuzzFeed News the lawsuit is a way to “create consequences for these folks outside of shutting down their ad accounts and preventing them from using the platform.”

“This [scheme] has affected folks in multiple countries and is something we began investigating in late 2018,” he said.

The suit follows similar Facebook legal action this year related to ads and malware. In August, it sued two Chinese app makers that allegedly committed ad fraud by programming bots to click on ads on Facebook. And in March it sued two Ukrainians who allegedly used malware to steal user data.

Facebook’s court filing alleges the defendants tricked users into installing their malware by bundling it with other programs. Once installed, the malware compromised a user’s Facebook account. The defendants allegedly used the accounts to run ads that often misused the images of celebrities to sell “counterfeit goods and diet pills.” Facebook’s filing alleges the malware was programmed to detect whether a compromised account was set up to run ads and would then place ads that were “billed to the victim’s ad account.”

A blog post about the suit from Leathern and Jessica Romero, Facebook’s director of platform enforcement and litigation, said the company has “refunded victims whose accounts were used to run unauthorized ads and helped them to secure their accounts.” Facebook said it reimbursed victims more than $4 million.

A report from CNET last month offered a detailed breakdown of what happened when one man's Facebook account was hacked and used to place ads.



In addition to using compromised accounts to run ads, Facebook also alleges the defendants used a process known as “cloaking” to help defeat the company’s ad review process.

“Through cloaking, the defendants deliberately disguised the true destination of the link in the ad by displaying one version of an ad’s landing page to Facebook’s systems and a different version to Facebook users,” said the blog post.

The use of cloaking and celebrity photos in deceptive ads is a huge problem on Facebook that often results in users being tricked into signing up for expensive subscriptions without their knowledge. In October, BuzzFeed News exposed a massive subscription trap operation that used rented Facebook accounts to run more than $50 million worth of deceptive ads since 2016. The ads tricked users into handing over their credit card information for scam offerings of skin cream and erectile dysfunction pills, among other products.

The operation was run by a San Diego–based marketing agency called Ads Inc. The company has since shut down.

Leathern said Facebook is still “considering its legal options” regarding Ads Inc.