When employees at Google, Apple, and Microsoft needed to convert documents, they used Nitro PDF. A legitimate, widely trusted platform. Millions of professionals relied on it daily.

Nitro is a full PDF productivity suite, not a simple web converter. But the principle is the same: your documents lived on someone else's servers.

Then Nitro got breached.

77 million user records ended up on dark web markets. More than 3,600 Google employee accounts exposed, containing 32,000 internal documents. 584 Apple accounts with 6,405 files. 3,330 Microsoft accounts with 2,390 documents. Merger proposals. Financial reports. Product launch strategies. All of it put up for auction with a starting price of $80,000. It was later leaked publicly for free.

These weren't careless people. They worked at three of the most security-conscious companies on the planet. It didn't matter.

Law Enforcement Agencies Are Warning About This

In March 2025, the FBI's Denver field office issued an alert describing the threat from malicious online file converters as "rampant." Within two weeks, they confirmed an actual incident in the Denver metro area.

Europol's threat assessments have consistently identified social engineering via malicious files as a growing attack vector. This is not just an American problem.

The warning applies to the sites that show up when you search "convert PDF to Word" or "merge PDF files free." Some are promoted through search ads, meaning they appear above legitimate results. The first link you click could be the attack.

What makes these scams effective is simple. The converter works. You upload your file, you get your converted document back, and you move on. You never suspect anything because you got exactly what you asked for.

Meanwhile, the uploaded file gets scraped for ID numbers, bank account details, passwords, dates of birth, and cryptocurrency wallet information. The file you downloaded back may contain malware that gives attackers persistent access to your machine.

Inside a Fake Converter Attack

Security researchers at CloudSEK documented exactly how one of these operations works. Attackers built convincing clones of PDFCandy, a popular conversion tool, using domains like candyxpdf[.]com and candyconverterpdf[.]com. The fake sites were nearly identical to the real thing.

The attack is straightforward. You visit the site. Upload your document. A realistic processing animation plays. Then a CAPTCHA prompt appears, asking you to verify you're human. Normal enough.

Except the "verification" instructs you to run a command on your computer. That command connects to a remote server, downloads a ZIP file disguised as an Adobe product, and installs ArechClient2, a remote access trojan that has been active since 2019. Once installed, it harvests browser credentials, crypto wallets, and anything else of value stored on your system.

Malwarebytes identified at least 10 specific malicious converter domains, including convertallfiles[.]com, freejpgtopdfconverter[.]com, and convertpro[.]org.

Separately, security researchers documented campaigns distributing Gootloader, a malware delivery tool linked to major ransomware operations like REvil and BlackSuit, through sites like docu-flex[.]com and pdfixers[.]com.

These aren't amateur operations. They're sophisticated, well-funded campaigns designed to look exactly like the tools millions of people use every week.

The Problem With "Legitimate" Converters

Fake sites are one threat. But the real ones are not much better.

Even the real, legitimate converter services store your files on their servers. iLovePDF keeps uploaded documents for two hours before deletion. SmallPDF removes files after one hour, unless you have an account, in which case your files may be stored indefinitely. FreeConvert holds files for eight hours on Amazon Web Services servers in Ireland. CloudConvert retains files for up to 24 hours.

Two hours might not sound like much. But consider what you uploaded. A tax return. A signed contract. A medical report. Client records from your law practice. Salary spreadsheets. For those hours, your most sensitive documents exist on infrastructure you don't control, can't audit, and have no visibility into.

Convertio's terms of service include a sweeping disclaimer: the company is "not liable for any damages, including lost profits, lost data, or damage to your computer system." There is no zero-knowledge encryption. You are trusting that nothing goes wrong based on a promise in a privacy policy that nobody reads.

As Javier Rodriguez, head of Cyber Intelligence at security firm Tarlogic, put it: "Files uploaded to the online converter will remain in the cloud, within the platform. Any assault that it may suffer could end up generating very great damage."

He was talking about Nitro. But the same applies to every online converter you've ever used.

Your Documents May Be Training Someone's Software

There is another layer to this that gets almost no attention.

Many modern PDF and document tools now process files on remote servers using automated systems that analyze content. The terms of service for these platforms sometimes include clauses granting rights to use uploaded content for product improvement. Opt-out options, when they exist, are buried deep in settings that most users never find.

This means a confidential business proposal, a legal brief, or a financial forecast you uploaded for a quick conversion might be retained and analyzed in ways you never agreed to. For businesses subject to GDPR, HIPAA, or other regulatory frameworks, this creates a compliance violation that no privacy policy checkbox can fix.

Institutions Are Banning These Tools

An IT security team at MIT issued an explicit directive to faculty and staff: "Do NOT use Online File Conversion Websites." Their warning states that these platforms "are or have become malware delivery platforms" and emphasizes that no browser choice or operating system provides protection.

They are not alone. Universities, government agencies, and corporations across the world are adding online converters to their lists of prohibited tools. When the organizations with the most technical expertise are telling their own people to stop using these services, it is worth paying attention.

What You Can Do Instead?

Every major operating system includes basic conversion tools that never upload your files anywhere. Preview on Mac can export to PDF. Microsoft's built-in "Print to PDF" function works from any application. LibreOffice handles format conversions locally.

For anything more complex, desktop software that processes files on your own machine is the only approach that keeps your documents under your control.

The convenience of dragging a file into a browser window and getting a converted version back in seconds is real. But so is the risk. Every document you upload to an online converter passes through servers you don't own, under terms you didn't read, protected by security you can't verify.

Next time you need to convert a file, ask yourself three questions. Where is this document going? Who can access it while it's there? And is saving two minutes worth what might happen if the answer to those questions is "I don't know"?

Sources

[1] FBI Denver Field Office, "FBI Denver Warns of Online File Converter Scam," March 2025. https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam

[2] CloudSEK, "Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents," 2025. https://www.cloudsek.com/blog/byte-bandits-how-fake-pdf-converters-are-stealing-more-than-just-your-documents

[3] Tarlogic, "PDF Converters, Playing with Fire," 2020. https://www.tarlogic.com/blog/pdf-converters-playing-with-fire/

[4] Malwarebytes, "Warning over free online file converters that actually install malware," March 2025. https://www.malwarebytes.com/blog/news/2025/03/warning-over-free-online-file-converters-that-actually-install-malware

[5] Moonlock, "FBI Warning: File Converters," 2025. https://moonlock.com/fbi-warning-file-converters

[6] Bitdefender, "Free File Converter Malware Scam Rampant, Claims FBI," 2025. https://www.bitdefender.com/en-us/blog/hotforsecurity/free-file-converter-malware-scam-rampant-claims-fbi

[7] MIT SHASS IT, "Do NOT Use Online File Conversion Websites," 2025. https://shassit.mit.edu/news/do-not-use-online-file-conversion-websites/

[8] HackerNoon, "Are AI PDF Tools Putting Your Data at Risk? Here's a Safer Way to Merge PDFs," 2025. https://hackernoon.com/are-ai-pdf-tools-putting-your-data-at-risk-heres-a-safer-way-to-merge-pdfs

[9] mconverter.eu, "Is iLovePDF Safe?" https://mconverter.eu/blog/is-ilovepdf-safe/

[10] SmallPDF, "Is Smallpdf Safe?" https://smallpdf.com/blog/is-smallpdf-safe

[11] Convertio, "Terms of Service." https://convertio.co/terms/

[12] CloudConvert, "Terms of Service." https://cloudconvert.com/terms