The FBI Warned About Fake PDF Converters. Here's Exactly How the Scam Works
Published 9 July 2026 · 8 min read
In March 2025, the FBI's Denver field office put out something you don't see very often: a public warning specifically about file converter websites. Not phishing emails, not fake shopping sites — the ordinary, everyday "convert my Word doc to PDF" tools that millions of people use without a second thought. The advisory described sites that looked completely normal, actually performed the conversion you asked for, and quietly installed malware on your computer at the same time.
This isn't a hypothetical "online tools can be risky" thought experiment. It's a specific, documented pattern that security researchers have since traced in detail, with real malware families, real fake domains, and a real technique for telling the difference. This piece walks through what's actually been found, and how to check any tool for yourself before you trust it with a file.
What the FBI actually said
The advisory identified three distinct methods these sites use. Sometimes the "converter" you download to run locally is the malware itself, dressed up as a legitimate desktop tool. Sometimes the site prompts you to install a browser extension to "enable" the conversion, and the extension is the payload. And sometimes the conversion genuinely works — you get back a real, functional PDF — except it has something embedded inside it that activates when you open it later. The FBI specifically flagged ransomware as one of the outcomes, alongside browser hijackers, adware, and credential-stealing malware capable of harvesting Social Security numbers, banking logins, cryptocurrency wallets, passwords, and even session tokens that let attackers bypass multi-factor authentication entirely.
The most common bait, according to the advisory, is exactly the kind of everyday task that makes people let their guard down: converting a Word document to PDF, or the reverse, or combining a few photos into one PDF file.
A real, documented example
Security researchers at CloudSEK later published a detailed technical breakdown of one such campaign, built entirely around impersonating a real, popular PDF conversion service called PDFCandy. The fake sites — running on lookalike domains, not the real pdfcandy.com — displayed a fake processing animation and an unusual CAPTCHA step, purely to build trust and make the moment feel routine. That CAPTCHA step ended by getting the visitor to copy and run a PowerShell command.
That single command was the entire attack. It pulled down a file disguised as "adobe.zip" through a chain of shortened links, which unpacked into an executable that launched legitimate-looking Windows processes to quietly install a credential-stealing program called ArechClient2, a variant of a known info-stealer family called SectopRAT. Once running, it was built specifically to pull saved browser logins and cryptocurrency wallet data off the infected machine.
None of that required a sophisticated hack. It required a visitor trusting a website that looked close enough to a real one, at a moment when copying and pasting a command into PowerShell felt like a normal part of "converting a file."
The one red flag that matters most
Strip away the specifics and there's a single, reliable signal running through basically every case researchers have documented: legitimate file conversion, whether it happens on a server or right in your browser, never requires you to download an installer, add a browser extension, or run a command yourself. The moment a "PDF converter" asks you to do any of those three things, it has already stopped being a converter and started being something else.
This is worth remembering precisely because it cuts against instinct. A site that asks you to install something can feel more official, not less — like it's a "real program" rather than a website. That instinct is exactly what these campaigns are built to use.
How this is structurally different from the privacy trade-off we usually write about
Most of what we cover on this blog is about legitimate tools that process your file on a real server, which raises a privacy question worth thinking about — not a malware one. That's a genuinely different, much lower-stakes category than what's described here. The tools in the FBI's warning aren't reputable services making an ordinary architectural choice; they're built specifically to deceive.
FormatDog's tools don't fall into either the malicious category above, or the "your file goes to our server" category we write about elsewhere on this blog — they're built entirely as JavaScript and WebAssembly running in your browser tab, with no installer, no browser extension, and no separate program to run. That's not a claim you have to take on faith: it's exactly what the verification steps below are for.
How to actually check, on any converter, in under a minute
You don't need security training to catch most of what's described above. A few concrete checks:
- Check the URL character by character. The CloudSEK case relied on domains that merely resembled the real service. If you meant to visit a specific tool, type its address directly rather than clicking a search result or an ad.
- Never run a command a website tells you to paste into PowerShell, Terminal, or "Run." There is no legitimate reason a file conversion website needs you to execute a command manually. None. This single rule alone would have stopped the PDFCandy impersonation attack outright.
- Be suspicious of any install prompt. A genuine browser-based tool doesn't need a downloaded app or a browser extension to convert a file. If one is requested, that's the point where CISA and multiple security researchers say to stop.
- Check the network traffic yourself. Open developer tools (F12), click the Network tab, and run the conversion. You're looking for anything unusual, not just whether your file uploads — a legitimate tool making one clean request behaves very differently from a page trying to redirect you into downloading an executable.
The takeaway
This isn't a reason to distrust every free conversion tool, including the many legitimate ones that upload your file to a real server and handle it responsibly. It's a reason to take the FBI's specific, dated warning seriously: a meaningful share of "PDF converter" results in a search engine aren't converters at all, and the difference usually comes down to one moment — being asked to install, run, or download something you didn't go looking for. Catch that moment, and you catch essentially everything described here.
Sources
- Malwarebytes: "Warning over free online file converters that actually install malware" (March 2025), reporting on the FBI Denver field office advisory
- CloudSEK: "Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents", the technical breakdown of the PDFCandy impersonation campaign