Are Online File Converters Safe? What the FBI Warning Actually Said
June 12, 2026
Short answer: some are, many aren’t, and the difference is not obvious from the homepage. The FBI considered the problem serious enough to issue a public warning, and researchers later backed it up with named sites and named malware. Here’s what actually happened, how the scams work, and a concrete checklist for telling a safe converter from a dangerous one.
What the FBI actually warned about
In March 2025, the FBI’s Denver field office published an alert about a scam its agents were seeing increasingly often: free online document converter tools that load malware onto victims’ computers, in some cases leading to ransomware. Three details are worth reading twice:
- The sites often work as advertised. They really do convert your .doc to a .pdf or download your video. The malware rides along in the file you get back, so there’s no obvious failure to tip you off.
- The tools can scrape your uploaded files for data. The FBI specifically listed Social Security numbers, dates of birth, phone numbers, banking information, cryptocurrency wallet details and seed phrases, email addresses, and passwords.
- The sites impersonate legitimate converters. Per FBI Denver spokesperson Vikki Migoya: “The scammers try to mimic URLs that are legit – so changing just one letter, or ‘INC’ instead of ‘CO’.”
The most common lures were .doc-to-.pdf conversion (and the reverse) and tools that merge multiple images into one PDF — exactly the boring, everyday tasks people search for in a hurry. Malwarebytes covered the warning on March 17, 2025, adding that lookalike converter sites also push browser hijackers and adware.
Researchers confirmed it wasn’t hypothetical
A week later, BleepingComputer verified the FBI’s claims with specifics: converter sites docu-flex[.]com and pdfixers[.]com were serving Windows executables (DocuFlex.exe, Pdfixers.exe) flagged as malware on VirusTotal, and a Google Ads campaign promoted fake PDF-to-DOCX converters delivering Gootloader — a loader that pulls in banking trojans, infostealers, and Cobalt Strike beacons, and a known entry point for ransomware crews including REvil and BlackSuit.
Note the Google Ads detail: a malicious converter can simply buy the top of your search results, so “first page of Google” is not a safety signal.
The threat model: three distinct risks
“Is this converter safe?” is really three separate questions.
1. Malware delivery
The classic version: the site hands back a “converted” file — or asks you to download a “converter app” — and the payload is in the download. An executable where you expected a document is an immediate abort, but payloads can also hide in document macros, so a clean-looking .pdf isn’t automatically safe either.
2. Data harvesting from the files you upload
This one gets less attention and is arguably worse, because it can happen on a site that never serves malware at all. Once a file is on someone else’s server, you’ve lost control of it — regardless of what the privacy policy promises about retention, it’s now their copy to keep, scan, index, or leak in their next breach.
Screen recordings deserve special paranoia. A typical capture contains your open tabs, email subject lines, Slack messages in another window, notification popups, autocomplete suggestions, and dashboard URLs with embedded tokens. A 30-second “quick demo” routinely holds more sensitive data than any document you’d think twice about uploading.
3. Impersonation and malvertising
Even if a legitimate converter exists, you have to actually land on it. Typosquatted domains and paid search ads mean the site you reach may not be the one you meant to visit. The FBI’s “INC instead of CO” example is exactly this.
Upload-based vs. browser-local: the structural difference
There are two architecturally different kinds of “online converter,” and they have very different risk profiles.
| Upload-based converter | Browser-local converter | |
|---|---|---|
| Where conversion happens | The operator’s server | Your device, in the browser tab |
| Does your file leave your machine? | Yes, by definition | No — it’s read via the File API in-page |
| Can the operator read your file? | Yes | No (and you can verify this yourself) |
| Works offline after page load? | No | Should, yes |
| File size limits | Server-imposed, often 100 MB–1 GB on free tiers | Bounded by your device’s RAM, not a server quota |
| Speed on a 200 MB video | Upload time + queue + processing + download | Processing only; with WebCodecs hardware decode, often faster |
| Breach exposure | Your files are in someone’s storage bucket | Nothing to breach — there’s no copy |
Browser-local tools became practical because modern browser APIs (WebAssembly, and more recently WebCodecs for hardware-accelerated video decode) let a web page do real media processing at near-native speed. A video to GIF converter built this way reads your file in the tab, decodes frames on your GPU where available, and never makes a network request containing your data.
The honest tradeoff: local processing uses your CPU and RAM, so a weak laptop will chug on a 4K source where a beefy server wouldn’t. And GIF itself is an inefficient format — a 10-second clip at 480px and 15 fps lands around 4–8 MB, which is why you’ll often want a GIF compressor pass afterward.
How to evaluate any converter: a practical test
HTTPS is table stakes, not a safety signal. The padlock means your connection is encrypted; it says nothing about what the site does with your file once it has it. Malicious sites have valid TLS certificates too — they’re free. Here’s what actually tells you something:
The Network tab test (2 minutes, no expertise needed). Open the converter, press F12, click the Network tab, then convert a small test file. If the file is uploaded, you’ll see a POST or PUT request roughly the size of your file. If processing is local, the network goes quiet while you convert. There’s a step-by-step walkthrough at how to verify no-upload claims — it works on any tool.
The airplane-mode test. Load the page, disconnect from the internet, then convert. A genuinely local tool keeps working; an upload-based one fails immediately. (Let the page fully load first — some local tools lazy-load their processing code.)
Check what you’re downloading. Expected a .gif or .pdf, got a .exe, .msi, or a ZIP containing one? Close the tab. This single rule would have defeated the DocuFlex/Pdfixers campaign outright.
Read the URL character by character, especially if you arrived via an ad. Better: don’t click converter ads at all.
Prefer open source or verifiable tools. If the code is open or the no-upload architecture is demonstrable, you’re not relying on a privacy policy’s pinky promise.
Match the tool to the sensitivity. A meme clip from YouTube? Any reputable converter is fine. A screen recording of your company’s admin panel? Local-only, no exceptions.
Red flags vs. green flags
| Red flags | Green flags |
|---|---|
| Asks you to download a “converter app” | Conversion completes in the browser tab |
| Output file is an executable | Output matches the expected format |
| Reached via a search ad | Direct navigation or a known domain |
| Vague privacy policy (“files deleted after processing”) | Verifiable claim: works offline, clean Network tab |
| Domain is one letter off a known brand | Open-source code or documented architecture |
| Forces an account/email for a free conversion | No signup for basic use |
Where this leaves GIF-making specifically
Video-to-GIF is one of the most common converter searches, and screen recordings are one of the most common inputs — the worst-case combination for upload-based tools. It’s also a case where local processing is fully solved: decoding video and palette-quantizing frames is well within a browser’s abilities. GIF Den runs on exactly this architecture (everything happens in your tab, verifiable with the Network tab test above) — but the method matters more than the tool name, so apply the same tests to us as to anyone else.
One caveat about the format itself: GIF is a 1989-era format with a 256-color palette and no real compression for video-like content. It’s still the path of least resistance for chat apps and issue trackers, but where a platform accepts video, converting GIF to MP4 typically cuts file size by 80–90% at better quality.
The checklist
Before you upload anything to a converter site:
- Did you type the URL or follow a trusted link — not an ad?
- Does the URL match the real brand, letter for letter?
- Is the output file the format you expected (never an executable)?
- Does the Network tab stay quiet during conversion, or does your file get POSTed somewhere?
- Does it still work in airplane mode?
- Sensitive file (screen recording, credentials, PII)? Confirm processing is local, or don’t use it.
- If you’ve already used a sketchy converter: run an up-to-date malware scan, change passwords from a clean device, and report it to IC3 — the FBI’s recommended steps.
The FBI’s warning wasn’t that online converters are inherently dangerous — it’s that the upload-and-trust model is unverifiable, and criminals exploit exactly that gap. Tools that process files on your own device close it structurally, and the best ones let you check.