Fake ChatGPT and Sora download scam 2026: the Google Ad trap that empties crypto wallets

The Tuesday Eric's MetaMask wallet emptied to a Sora installer

Eric is 34, a marketing manager at a mid-size SaaS company in Austin, and he had been waiting for Sora 2 like a kid waits for a movie sequel. He saw a thread on X that morning about Sora 2 being available, opened a new tab on his MacBook Pro, and typed five words. Sora 2 download for Mac.

The first result is the top sponsored ad. The favicon is the OpenAI swirl. The site name reads "OpenAI Sora 2." The URL underneath, in that grey print nobody actually reads, says sora-app-download.com. The ad copy is clean. "Sora 2 for Mac. Generate cinema-grade video from text. Now available." Eric clicks.

The site loads in under a second. The OpenAI logo top left. The Sora video reel running in a hero strip. A big black "Download for Mac" button with the Apple logo on it. Eric clicks. A 240MB DMG starts downloading. While he waits he reads the page. There is a fake security badge from "Norton Verified." There is a fake review widget showing 4.8 stars from 12,400 users. There is a "What's New in Sora 2" changelog that reads exactly like an OpenAI release post. The whole thing is pixel perfect.

The DMG lands. Eric opens it. Inside is what looks like the standard Mac installer pattern. A Sora.app icon on the left, an Applications folder shortcut on the right, an arrow between them. He drags Sora.app into Applications. The installer launches automatically. A clean window pops up with the OpenAI logo and a progress bar. "Verifying installation with OpenAI servers." The bar fills in five seconds. "Configuring video generation engine." Another five seconds. "Almost ready."

Then the app opens. It looks exactly like sora.com. The familiar dark interface, the prompt box at the bottom, the example videos in the gallery. Eric types a prompt. "Cinematic drone shot of a coastal cliff at sunset." He hits generate. A spinner runs for about ten seconds, then a popup. "Sign in to your OpenAI account to generate video." He clicks Sign In. The page that loads is the real chat.openai.com login. He puts in his credentials. They do not work. He tries again. Still not working. He gives up, closes the app, mutters about Sora 2 being buggy on launch day, and goes back to work.

That visible app was just an iframe of the real sora.com that he was never going to be able to sign into. The actual work happened in the background while the friendly progress bar played.

For three days, nothing happens.

What did happen, in the four seconds that "Verifying with OpenAI" was running on screen, is this. A Mach-O binary called Updater extracted itself into ~/Library/Application Support/SoraHelper/. A LaunchAgent plist installed itself in ~/Library/LaunchAgents/ so the binary would run on every login. The binary scanned the Keychain for entries with names containing "wallet", "seed", "metamask", "trust", "coinbase", "kraken", "ledger", "trezor", "ronin", "phantom", and roughly sixty other crypto-related strings. It dumped Chrome cookies from ~/Library/Application Support/Google/Chrome/Default/Cookies. It dumped Brave cookies. It dumped Edge cookies. It dumped Safari's Login Items. It exfiltrated all of this to a command-and-control server in a single HTTPS POST and then sat quiet.

On the third day, at 4:12 AM Central, Eric's Gmail received a password reset email he did not request. The login attempt came from a German IP. Gmail blocked it because it asked for the 2FA code Eric did not type. Forty minutes later, his Coinbase account got an unauthorized withdrawal request for $4,800 in ETH to an address he had never seen. Coinbase held the withdrawal for 48-hour review because the destination was new. At 4:51 AM, his MetaMask wallet drained completely. Three NFTs and the $2,300 in USDC that he kept there for gas were swept in the same transaction.

Eric woke at 6:15 AM, checked his phone, and stared at the Coinbase email for about a minute before he understood what he was reading. He had not connected MetaMask to anything in two weeks. He had not signed any transactions. He had not clicked any links. None of the standard phishing stories fit.

The MetaMask drain happened because the seed phrase was in his Keychain, and the Keychain is what the Sora installer swept on Tuesday afternoon.

Why fake AI tool downloads are now the top initial-access vector

Three things made this attack the lead story of late 2024 and all of 2025. First, every new OpenAI, Anthropic, and Google product launch creates a search spike of millions of "download" queries before the product is available, before journalists explain it, before anyone confirms whether a desktop app exists at all. Sora alpha, Sora 2, GPT-5, Claude 3.5 Sonnet, Claude 3.7, Gemini 2.0, Gemini 2.5, Midjourney v6 and v7. Each launch is a fresh harvest window of six to eight weeks where the scam ads can outbid the legitimate AI companies who in many cases do not even run ads on these queries.

Second, infostealers are now sold as a service. RedLine, LummaC2, AsyncRAT on Windows, AMOS (Atomic macOS Stealer) and Banshee on macOS. The malware-as-a-service operators sell access for a few hundred dollars per month, hand the customer a builder, and let them wrap the payload in whatever theme is hot that week. The Sora installer Eric ran was the same LummaC2 build that another crew was distributing four months earlier as a fake Cursor IDE installer.

Third, the payload format has been optimized to look like every legitimate Mac DMG and Windows installer you have ever opened. Real Apple-style drag-to-Applications layout. Real-looking progress bars. Real-looking "Verifying with vendor" copy. Some campaigns even ship with valid code-signing certificates bought from cheap CAs or stolen from breached signing keys so the macOS Gatekeeper warning never appears. The cosmetic legitimacy of these installers in 2024 and 2025 is a step up from anything that existed in 2023.

The economics are brutal. The crew running the ad pays maybe $3 to $6 per click. A single successful crypto drain on one in three hundred installs can return $4,000 to $40,000 depending on the victim. The math beats almost every other phishing scheme that has ever existed.

The infostealer ecosystem behind the fake installer

The "Sora installer" or "ChatGPT for Mac" you downloaded is one of a small set of known malware families. Each has been documented in depth by security vendors in 2024 and 2025. Recognizing the name is not what matters. Recognizing the category is.

• RedLine Stealer (Windows). Active since 2020. Sweeps browser passwords, cookies, autofill, FTP credentials, Discord tokens, Steam tokens, Telegram sessions, and crypto wallet extension data (MetaMask, Phantom, Trust, Ronin, Exodus, Atomic). Sold for around $150 per month on underground forums. SentinelOne documented 2024 campaigns where RedLine was wrapped as fake AI tool installers and distributed via sponsored Google ads.
• LummaC2 (Windows, also Mac variants). Rose to dominance through 2024. Cisco Talos and SentinelOne both flagged LummaC2 as one of the top three infostealers of the year. Targets browser data, crypto wallets, two-factor authentication backups, and recently added the ability to dump Microsoft Outlook profile data. The fake AI installer wrapper is one of its top three distribution methods in 2024-2025 telemetry.
• AsyncRAT (Windows). Open-source remote access trojan that gives the operator full keyboard, mouse, and screen control of the compromised machine. Often paired with a stealer for the initial sweep, with AsyncRAT staying resident for ongoing access. Used in multiple 2024 campaigns documented by Cisco Talos targeting users of "AI productivity tools."
• NetSupport RAT (Windows). Originally a legitimate remote support tool, abused for years as a backdoor. 2024 campaigns documented by eSentire and Mandiant used fake "ChatGPT integration" pages to drop NetSupport. The visible window after installation often shows a real ChatGPT iframe so the victim does not suspect anything.
• AMOS / Atomic Stealer (macOS). The dominant Mac infostealer of 2024 and 2025. Mandiant and Malwarebytes Labs both documented sharp growth in AMOS activity through the year, with fake DMG installers themed as ChatGPT, Sora, Notion AI, Loom AI, and Figma AI as the primary delivery vector. AMOS targets browser data, Keychain entries, crypto wallet extension and app data, and Apple Notes. It is what almost certainly ran on Eric's MacBook.
• Banshee Stealer (macOS). Newer Mac stealer that emerged through 2024. Lower cost than AMOS so favored by smaller crews. Same target set: Keychain, browser cookies, crypto wallet apps. Documented by Elastic Security Labs in late 2024.

ESET's H2 2024 Threat Report ranked infostealers as one of the fastest-growing malware categories of the year, with sponsored-link distribution flagged as a primary access method across both Windows and Mac. The fake AI tool installer specifically was called out in the report as a defining theme of the second half of 2024.

The real distribution model: how OpenAI, Anthropic, Google, and Midjourney actually ship

This is the single most important section in this guide. Memorize it. The reason fake AI tool installers work is that most users do not know how the real products are distributed.

OpenAI ChatGPT and Sora. Browser-only by default. You access ChatGPT at chatgpt.com and Sora at sora.com, signed in with your OpenAI account. OpenAI does ship an official ChatGPT desktop app for macOS and Windows, but the download link is only on chatgpt.com itself (look for the small Download for Mac / Download for Windows link in the OpenAI footer or settings panel), and the installer is signed by OpenAI L.L.C. The Mac App Store also lists the official ChatGPT app under the developer OpenAI L.L.C. There is no separate "Sora app" download. Sora runs only in the browser at sora.com.

Anthropic Claude. Browser-only at claude.ai. Anthropic does ship a Claude desktop app for macOS and Windows, with the download link on claude.ai itself, signed by Anthropic PBC. The Mac App Store lists it under Anthropic PBC. There is no third-party "Claude installer" from any other developer.

Google Gemini. Browser-only at gemini.google.com. Also available inside Google Workspace apps and the Google app on iOS and Android. There is no separate Gemini desktop installer for Mac or Windows. Anyone telling you to "download Gemini for Mac" is selling you something else.

Midjourney. Browser-only at midjourney.com (the new web app) and via the Midjourney Discord bot. There is no Midjourney installer for Mac or Windows. The image generation runs entirely on Midjourney's servers, rendered to your browser.

Microsoft Copilot. Web at copilot.microsoft.com. Native integration in Windows 11 and 365 apps. The standalone Copilot app for Windows comes only from the Microsoft Store. There is no third-party "Copilot installer" download.

Notice the pattern. Every single AI product on this list is browser-first. The handful of legitimate desktop apps come exclusively from the vendor's own domain or the Microsoft Store or Mac App Store. There is no scenario where you should be downloading an AI tool installer from a site you reached through a sponsored Google ad.

The red flags before you click any "AI tool download" link

If the page you are about to download from shows any two of these signals, close the tab. The whole list is illustrative of the pattern, not a complete blocklist.

• The URL has hyphens or extra words. sora-app-download.com, chatgpt-for-mac.com, claude-ai-download.net, gemini-installer.co, midjourney-app.shop. The real domains are sora.com, chatgpt.com, claude.ai, gemini.google.com, midjourney.com. Hyphens and suffixes are the cheapest tell in the game.
• The TLD is wrong. .help, .shop, .co, .net, .download, .app on what should be a major brand .com. The real OpenAI never uses .help. The real Anthropic never uses .shop.
• The site offers a download for a tool that has no real installer. Sora, Midjourney, and Gemini have no Mac or Windows installer at all. Any site offering one is fake by definition.
• The site has a fake security badge. Norton Verified, McAfee Secure, TrustPilot 4.8 stars. These badges are images, not real verifications, and the real Norton or McAfee badges link back to a verifier page. Click any of the fake ones and they go nowhere.
• The page asks you to disable Gatekeeper or SmartScreen. "To install Sora, you may need to right-click and choose Open, then click Open Anyway in the warning." The real OpenAI installer is fully signed and notarized. It does not need this dance.
• The installer is a DMG or EXE bundled with extra "helper" or "updater" components. Real apps install one app. Fake installers drop an Updater, a Helper, a Service binary, sometimes a LaunchAgent or LaunchDaemon. Look at Activity Monitor (Mac) or Task Manager (Windows) right after install. If you see something running under a name you did not install, you are compromised.
• The visible app does nothing or just loads the real site in a window. The Sora installer Eric ran wrapped the real sora.com inside an Electron iframe. Sign-in did not work because there was no integration. This is the most common pattern in 2024-2025 fake AI installer campaigns.

The real URLs for every tool, no exceptions

Bookmark these once and never go through Google search for them again. The browser URL bar is the single safest entry point for any AI tool.

• ChatGPT: chatgpt.com (also chat.openai.com)
• Sora: sora.com
• Claude: claude.ai
• Gemini: gemini.google.com
• Midjourney: midjourney.com
• Microsoft Copilot: copilot.microsoft.com
• Perplexity: perplexity.ai
• Grok (X): grok.com or accessed inside x.com
• OpenAI account dashboard: platform.openai.com
• Anthropic Console: console.anthropic.com

The only desktop apps that exist for any of these are the official ChatGPT desktop app (from chatgpt.com or the Mac App Store), the official Claude desktop app (from claude.ai or the Mac App Store), and the Microsoft Copilot app (from the Microsoft Store). Everything else is a browser tab. There is no Sora installer. There is no Gemini installer. There is no Midjourney installer. There is no Perplexity installer for Mac or Windows that was downloaded from a Google ad.

What the 2024 and 2025 reports actually say

This is not a one-off. The latest authority data shows fake AI tool installer campaigns growing through 2024 and into 2025.

• Google Ads Safety Report 2024 (published April 2025): Google blocked or removed 5.5 billion ads for policy violations in 2024 and suspended more than 39 million advertiser accounts, a sharp jump from the 2023 number. Trademark abuse, deceptive content, and malware-distribution categories were specifically called out as the largest enforcement growth areas of the year. The report noted heavy enforcement against sponsored links impersonating major software brands.
• ESET Threat Report H2 2024: Infostealers were ranked as one of the fastest-growing malware categories of the second half of the year. The report flagged AMOS for macOS as the dominant Mac infostealer family, with quarter-over-quarter growth through 2024 driven heavily by fake AI tool installer distribution.
• SentinelOne Labs 2024: Published multiple in-depth analyses of LummaC2 and RedLine campaigns through the year, including campaigns that wrapped both stealers as fake ChatGPT and Midjourney installers distributed through sponsored Google ads.
• Cisco Talos 2024: Documented multiple campaigns where AsyncRAT, NetSupport, and LummaC2 were distributed via fake "AI productivity tool" landing pages, including fake Claude, Notion AI, and ChatGPT installer themes.
• Malwarebytes Labs 2024: Multiple writeups through the year documenting fake ChatGPT and Midjourney download campaigns. The Labs team described sponsored-link malware distribution as one of the year's most consistent threat patterns.
• Bitdefender Labs 2024: Q4 writeups specifically covered fake Sora installer campaigns that emerged within weeks of OpenAI's Sora launch announcements, distributed via sponsored Google search ads.
• Mandiant 2024: Published research on growing Mac infostealer campaigns, with AMOS specifically documented as a top family for the year. The fake AI tool installer wrapper was called out as a major delivery method.
• FBI Internet Crime Report 2024 (IC3, April 2025): Reported losses reached $16.6 billion across all internet-enabled crimes, up 33 percent from 2023. Crypto-related losses alone hit $9.3 billion. Phishing and malware-based compromise of personal devices were among the top initial-access vectors.

One number to remember: $9.3 billion in crypto-related losses reported to the FBI for 2024 alone. A meaningful slice of that started with a fake software installer downloaded from a sponsored Google ad.

What to do if you already ran a fake AI installer

If anything in Eric's story sounded familiar, act fast. The drain happens days after the install, not minutes. You have a window. Use it. The order matters.

• Treat the machine as compromised. Stop signing into anything sensitive from that device. No banking, no crypto exchanges, no email, no work accounts. Move to a clean second device (a phone, a partner's laptop, a tablet) for the recovery steps below.
• Rotate every crypto wallet seed phrase immediately. If the seed phrase was ever stored in the Keychain, in a password manager, in a text file, in a screenshot, or in any browser-accessible location, treat it as compromised. Generate a new wallet on a clean device or hardware wallet (Ledger, Trezor) and move every token to the new address before the attacker drains it. See our guide on what to do if your crypto seed phrase is stolen for the step-by-step.
• Reset every password from the clean device. Start with email (Gmail, Outlook, iCloud), then crypto exchanges (Coinbase, Kraken, Binance), then banks, then social (X, Facebook, LinkedIn), then everything else. Sign out all sessions on every account. Re-enroll two-factor authentication on a fresh authenticator app, not the one on the compromised device.
• Revoke active sessions and tokens. Most major platforms have a "sign out all devices" or "active sessions" page. Use it on every account. Especially Google, Apple, Microsoft, Discord, Telegram, and any crypto exchange.
• Run a full malware scan from the clean device. Mac: Malwarebytes for Mac, BlockBlock, KnockKnock, and Objective-See's free utilities can surface the LaunchAgent or LaunchDaemon the stealer dropped. Windows: Malwarebytes Premium plus Windows Defender full scan. For a definitive cleanup, the only safe option is a full OS reinstall after backing up data only (not apps).
• Check email forwarding rules. Stealers often add a hidden Gmail or Outlook forwarding rule so the attacker sees future password reset emails. Go to Gmail settings, Forwarding and POP/IMAP, and verify no forwarding address is set. Same in Outlook.
• File reports. FTC at reportfraud.ftc.gov. FBI Internet Crime Complaint Center at ic3.gov. If a crypto exchange withdrawal happened, file with that exchange's fraud team and request a transaction trace. Some exchanges can freeze funds if reported within minutes.

How to report the fake Google ad

If you saw the fake ad before getting trapped, or after, report it. Each report shortens the window for the next victim.

• Click the three-dot menu on the ad in Google search results. Choose "Report this ad" and then "It's misleading" or "It seems unsafe." This goes directly to Google's ad safety team.
• Forward the URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/. Adds the URL to the global blocklist used by Chrome, Firefox, and Safari.
• Report to FTC at reportfraud.ftc.gov.
• File at FBI IC3 at ic3.gov. Especially important if money was lost.
• Forward to APWG (Anti-Phishing Working Group) at reportphishing@apwg.org.
• If the fake site is impersonating OpenAI, Anthropic, Google, or Microsoft, file an abuse report directly with the brand. OpenAI: trust@openai.com. Anthropic: security@anthropic.com. Google: g.co/abuse. Microsoft: cert.microsoft.com.

Last updated 2026-05-30

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1, Local detection: 60+ URL patterns and 550+ brand-specific signatures run directly in your browser. This is the layer that catches sora-app-download.com, chatgpt-for-mac.com, claude-ai-download.net, and the other hyphen-and-TLD-swap variants at click time, before the DMG or EXE ever downloads. OpenAI, Anthropic, Google, Microsoft, and Midjourney are all in the brand database, with the hyphen-suffix and wrong-TLD lookalike patterns matched against the real chatgpt.com, sora.com, claude.ai, gemini.google.com, copilot.microsoft.com, and midjourney.com domains.
• Layer 2, API checks: Google Safe Browsing, PhishTank, and URLhaus cross-references run server-side. Catches known malicious domains the moment they are reported anywhere in the world, including the throwaway lookalike domains that get burned and replaced every few hours during a fresh AI launch.
• Layer 3, AI deep scan (Premium): Content analysis flags brand-new lookalike pages that no blocklist has seen yet. The fake Sora landing page that went live two hours ago, the new chatgpt-installer.shop clone that has not been reported anywhere, the fresh midjourney-app-download.co. Works in over 100 languages.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

FAQ

Is there a real ChatGPT app for Mac or Windows?

Yes, but only one path. OpenAI ships an official ChatGPT desktop app for macOS and Windows. The download link lives on chatgpt.com itself, and the Mac App Store lists the same app under the developer OpenAI L.L.C. The installer is signed by OpenAI L.L.C. Any other "ChatGPT for Mac" or "ChatGPT installer" download from any other site is fake. There is no separate Sora app, no separate GPT-5 installer, no "ChatGPT Pro download". All of those are scam ad variants.

Is there a Sora app I can download?

No. Sora runs only in your browser at sora.com, signed in with your OpenAI account. There is no Sora desktop app for Mac, Windows, or Linux. Any site offering a "Sora download" or "Sora for Mac" is fake by definition. If you ran one of these, treat your machine as compromised and follow the recovery steps in this guide.

Is there a Claude app for Mac or Windows?

Yes. Anthropic ships an official Claude desktop app for macOS and Windows. The download link is on claude.ai itself, and the Mac App Store lists it under Anthropic PBC. Any "Claude installer" from any other domain is fake. The same applies to "Claude 3.5 Sonnet download" or "Claude 3.7 download" ads. Those products run only in the browser or in the official desktop app from claude.ai.

What is RedLine Stealer and how does it end up on my machine?

RedLine is a Windows infostealer sold as a service on underground forums since 2020. It sweeps saved passwords, browser cookies, autofill data, crypto wallet extension data, Discord and Steam tokens, FTP credentials, and screenshots. It usually arrives wrapped inside a fake software installer (cracked games, fake AI tools, fake productivity apps) distributed via sponsored Google ads, YouTube comment links, or malicious download sites. SentinelOne and Cisco Talos both published 2024 analyses showing RedLine as one of the most distributed infostealer families of the year.

What is AMOS Stealer and why does it matter for Mac users?

AMOS, also called Atomic macOS Stealer, is the dominant Mac infostealer family of 2024 and 2025. Documented by Mandiant, Malwarebytes Labs, and others, it targets the macOS Keychain (where many users store crypto wallet seed phrases, exchange passwords, and SSH keys), browser cookies, browser saved passwords, and crypto wallet apps and extensions. It is distributed primarily through fake DMG installers themed as ChatGPT, Sora, Notion AI, Loom AI, Figma AI, and similar productivity tools. It is what almost certainly ran in our story.

If I think I ran a fake AI installer, what is the single most important first step?

Move to a clean second device immediately and rotate every crypto wallet seed phrase from there. The MetaMask, Phantom, Trust, and other browser-extension wallets are the highest-value target. Generate a new wallet on a clean device or, ideally, on a hardware wallet (Ledger, Trezor), and transfer every token to the new address before the attacker drains it. Once the seed phrase is rotated, work through password resets, session revocations, and a full malware scan. The first hour matters. After 24 hours, the recovery odds drop sharply.