How Cybercriminals Exploited Google Ads to Steal $400K Using Fake Uniswap Schemes

Ever wonder if your next Google search might come with a side of deception? Well, you’re not alone—and sadly, it’s not some sci-fi plot. Scammers have been leveraging Google’s advertising platform to push phishing ads masquerading as Uniswap, the well-known decentralized finance giant. Imagine a slick fake site draining your crypto wallets while sneaky ads keep popping up above the real deal—frustrating, right? These fraudsters have already scooped up at least $400,000 in stolen ETH, exploiting gaps Google apparently can’t—or won’t—patch. It’s a stark reminder: sometimes, the biggest threat to your digital gold isn’t some hacker in a dark alley but the “Sponsored results” plastered on your daily search pages. Intrigued? LEARN MORE

Scammers have been using Google to deploy malicious phishing advertisements impersonating the crypto protocol Uniswap, which has reportedly netted the attackers at least $400,000.

The on-chain analyst “b-block” posted to X on Monday that a website impersonating decentralized finance exchange Uniswap was draining funds from multiple wallets and the scammers were holding at least $400,000.

Stacy Muur, founder of Web3 marketing agency Green Dots, said that the scammers had stolen the funds from users through a phishing ad on Google that impersonated Uniswap, and shared a screenshot of a sponsored result from the search engine.

“It’s insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained,” she said.

Source: Stacy Muur

The two flagged addresses held a combined 146 ETH worth around $306,000, at the time of writing, according to Etherscan.

DeFiLlama said that “fake ads on Google are a common source of phishing attacks.” The crypto non-profit group Security Alliance (SEAL) reported in April that there was a “significant uptick” in phishing activity on Google search in March.

SEAL said that attackers pay Google or hack legitimate advertiser accounts to run convincing fake ads impersonating popular crypto protocols to lure users. Threat actors outbid legitimate crypto exchanges and protocols to achieve a superior position within the “Sponsored results” section on Google Search.

SEAL blocked over 356 malicious advertisement links, a number which is “representative of a steady volume of attacker-deployed Google Ads each week for more than a year,” it added. “The campaign is not slowing down, and we are receiving more reports from affected users.”

The phishing ads used legitimate-looking URLs to bypass Google’s automated checks, while a hidden secondary iframe loads the malicious payload, also invisible to Google’s detection.

Victims land on convincing clones of real crypto apps, with all network traffic secretly routed through attacker-controlled servers, explained SEAL, reporting that $1.27 million in total funds were stolen between March 13 and 30.

In early May, it was reported that attackers were abusing Google Ads and legitimate shared chats from AI chatbot Claude in an active “malvertising” campaign targeting Mac users.

Facebook is also a hotbed of fake ads and scams, according to Malwarebytes, which reported in February that scammers were running paid ads that looked like official Microsoft promotions.

Victims were directed to near-perfect clones of the Windows 11 download page, where malware designed to steal crypto and credentials was deployed.

Magazine: Polymarket seeks Japan entry, Harvard dumps entire ETH position: Hodler’s Digest