Security researchers say fake sponsored links drain $400,000 from crypto users
Threat actors have been running fake Uniswap ads on Google’s platform for over a year, funneling unsuspecting users to phishing sites designed to steal wallet credentials and drain funds, according to security researchers tracking the campaign.
On May 25, 2026, on-chain analyst b-block raised the alarm after tracing stolen funds to wallets associated with the scheme. “A website impersonating Uniswap is draining funds from multiple wallets. The scammers are currently holding at least ~$400,000,” b-block said in a post detailing the operation.
The attack vector is straightforward: scammers purchase Google Ads space or break into existing advertiser accounts to run fake listings. These malicious ads appear as sponsored links in search results, outbidding the legitimate Uniswap protocol for top position. Victims click what appears to be an authentic link and land on a convincing Uniswap replica. Behind the scenes, network activity routes through attacker-controlled servers, where malicious code harvests private keys and wallet credentials.
The fake URLs appear legitimate enough to bypass Google’s automated review systems. Security Alliance (SEAL), a nonprofit security tracking group, has been monitoring the broader pattern and documented 356 malicious ad links blocked in a single week, which the organization described as typical of weekly attacker activity.
The scale of theft has accelerated. Between March 13 and March 30, phishing activity spiked, with $1.27 million stolen during that window alone. At the time of b-block’s May report, two flagged wallets held 146 ETH, worth approximately $306,000.
DeFiLlama, a crypto data platform, has identified fake Google ads as a common and recurring source of phishing attacks targeting the crypto community. The problem extends beyond Uniswap. In early May, attackers abused Google Ads to distribute malware targeting Mac users through chat links shared from AI tools. Facebook has also seen similar campaigns using fake paid ads mimicking Microsoft promotions, directing users to counterfeit Windows 11 download pages embedded with credential-stealing malware.
Stacy Muur, founder of Green Dots, a Web3 marketing agency, expressed frustration with Google’s handling of the issue. “It’s insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained,” Muur said.
The source does not specify which advertiser accounts were hijacked, how many victims have been affected, or whether Google has taken action to address the campaign. Neither has it been disclosed whether victims have recovered funds or filed formal complaints with authorities.
