Malicious advertisements impersonating DeFi exchange have run for over a year, with attackers outbidding legitimate platforms for top search placement
Blockchain analyst b-block warned Monday that phishing advertisements impersonating Uniswap have appeared on Google Search, netting attackers at least $400,000 from cryptocurrency users who clicked fake links.
The scam operates by directing victims to convincing clones of legitimate crypto applications. Attackers use URLs that bypass Google’s automated checks and deploy hidden secondary iframes that load malicious payloads invisible to Google’s detection systems. Once users land on the fake sites, their network traffic routes through attacker-controlled servers, allowing criminals to drain funds directly from connected wallets.
Security Alliance (SEAL), a crypto non-profit group, reported a significant uptick in phishing activity on Google Search in March. Between March 13 and 30 alone, the campaign stole $1.27 million. SEAL blocked over 356 malicious advertisement links representing steady weekly volume for more than one year, indicating the problem is neither new nor isolated.
Threat actors achieve top placement in Google’s “Sponsored results” section by outbidding legitimate crypto exchanges. They either pay Google directly for ad placement or hack legitimate advertiser accounts to launch campaigns under stolen credentials. The source does not specify which method attackers primarily use or whether Google has responded to reports of the fraud.
Two flagged addresses associated with the campaign hold 146 ETH, valued at approximately $306,000 at the time of writing, according to blockchain explorer Etherscan. The actual total stolen likely exceeds this figure, as attackers may have moved or spent funds already.
Stacy Muur, founder of Green Dots Web3 marketing agency, expressed frustration with Google’s inaction. “It’s insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained,” Muur said.
DeFiLlama, a crypto analytics platform, confirmed that “fake ads on Google are a common source of phishing attacks.” The problem extends beyond Uniswap. In early May, attackers launched a similar malvertising campaign targeting Mac users through Google Ads and Claude AI chatbot. Facebook also hosts fake advertisements impersonating crypto platforms, and Malwarebytes reported in February that scammers ran ads impersonating Microsoft promotions directing users to Windows 11 clone pages embedded with credential-stealing malware.
SEAL issued an updated warning: “The campaign is not slowing down, and we are receiving more reports from affected users.”
The persistence of these attacks underscores a structural gap in Google’s ad moderation systems. Legitimate crypto projects cannot easily reclaim their brand identity in search results once attackers have claimed top positions, leaving users vulnerable to clicking fraudulent links even when searching for authentic platforms.
What users can do
Verify URLs directly from official project websites or bookmarks rather than clicking search results. Enable hardware wallet protections and review all transaction approvals carefully. Report phishing ads to Google and the targeted platform immediately.
