5 Minutes
Crypto users have lost hundreds of thousands of dollars to a targeted phishing campaign that used sponsored Google Ads to promote cloned Uniswap websites. On-chain analysts and security firms say attackers used convincing impostor pages and Punycode-style domains to trick users into connecting wallets and approving malicious transactions that drained funds.
One of the attacker’s wallet addresses with drained funds.
What happened
Attackers deployed sponsored search results that appeared above legitimate Uniswap links on Google. According to on-chain analyst "b-block," the operation involved multiple scam wallets that collectively received roughly 146 ETH — about $306,000 at the time of reporting — as well as other assets, bringing confirmed losses tied to this specific campaign to at least $400,000.
Security researchers and Web3 marketing professionals, including Stacy Muur of Green Dots, documented screenshots of the fake sponsored results and criticized Google for failing to prevent the malicious adverts despite repeated notices. The cloned pages closely mimicked Uniswap’s interface, making it difficult for non-technical users to distinguish real from fake.
How the scam works
Cloned front-ends and malicious approvals
These phishing sites copy a decentralized exchange’s visual design and prompt victims to connect their wallets. Instead of requesting a simple swap, the fake interface asks users to sign or approve transactions that grant unlimited token allowances to attacker-controlled smart contracts. Once a user approves, the contract can move or drain connected assets without needing private keys.
Punycode domains and hidden payloads
Attackers frequently use lookalike domain tricks — including Punycode variants that appear nearly identical to the legitimate URL — to fool searchers. Security groups also report use of hidden iframes and secondary payloads that evade automated detection, routing traffic through attacker-controlled servers to intercept approvals and approvals flows.
Fake Uniswap ad appearing on Google search.
Scope and related incidents
This campaign is part of a larger pattern of phishing attacks tied to paid search advertisements. The Security Alliance (SEAL) reported a significant uptick in Google Ads–linked phishing in March, estimating roughly $1.27 million was stolen between March 13 and March 30 alone. Earlier incidents included a DeFi user losing over $1.23 million in Uniswap NFTs after interacting with a malicious site promoted through Google Ads, according to Scam Sniffer.
Blockchain security firms such as PeckShield Alert and analytics platforms including DeFiLlama have also flagged similar attacks involving fake Aave ads placed at the top of Google searches. In those cases, users were again prompted to approve transactions that effectively handed wallet access to scammers.
How attackers get ad placement
SEAL’s investigations indicate two main avenues: attackers either purchase Google Ads directly using burner accounts or they compromise existing advertiser accounts to push malicious links. Because phishing operators often outbid legitimate advertisers, their links can appear as the top sponsored result — a prime position to ensnare unsuspecting users.
What security teams are doing
Security groups have taken down hundreds of individual malicious ad links; SEAL reported blocking more than 356 harmful advertisement links over the past year. But investigators warn that the campaign remains active and that automated defenses can be circumvented by obfuscated payloads and routing strategies designed to look benign to crawlers.
Recommendations for users
Verify URLs and use bookmarks
Always verify the URL before connecting a wallet. Bookmark trusted DeFi sites and access them directly rather than through search ads or unsolicited links.
Limit approvals and use transaction checks
Avoid granting unlimited token allowances. Use tools or wallet features to review and revoke suspicious approvals, and double-check transaction data in your wallet before signing.
Enable additional security layers
Consider hardware wallets for larger holdings and use browser extensions or services that flag known phishing domains. Keep software up to date and be cautious of unfamiliar or time-pressured prompts.
Why this matters
Phishing via paid search channels represents a growing threat vector for DeFi and crypto users because it exploits both human trust and advertising systems. As attackers refine their cloning techniques and leverage ad platforms to amplify reach, centralized ad networks must strengthen vetting and remediation. At the same time, users and projects must prioritize education, stricter approval habits, and defensive tooling to reduce exposure.
The incident underscores that even well-known protocols like Uniswap can be impersonated effectively in search results, and that vigilance is essential for anyone interacting with decentralized finance platforms.
Source: crypto
Leave a Comment