Scammers use fake Google Ads to steal $400K from Uniswap users

An on-chain analyst and crypto security groups reported that scammers deployed Google search ads impersonating the Uniswap decentralized exchange and drained at least $400,000 from user wallets. An analyst using the handle b-block posted on X that a site posing as Uniswap had siphoned funds from multiple wallets and that attacker-controlled addresses held at least $400,000.

Blockchain explorer data flagged two addresses holding a combined 146 ETH, worth about $306,000 at the time of the report. Stacy Muur, founder of Web3 marketing agency Green Dots, shared a screenshot of a sponsored search result and wrote, “It’s insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained.”

According to the crypto security group Security Alliance (SEAL) and analytics firm DeFiLlama, the campaign used paid sponsored results to direct victims to near-perfect clones of Uniswap’s interface. The attackers used legitimate-looking URLs to pass automated checks and loaded a hidden secondary iframe that delivered the malicious code. Users who interacted with the fake pages unknowingly approved transactions that routed funds to attacker-controlled servers.

SEAL reported a significant uptick in Google-based phishing in March and said it blocked more than 356 malicious advertisement links, a figure it described as representative of a steady weekly volume of attacker-deployed Google Ads over more than a year. The group also reported that similar campaigns stole $1.27 million in total between March 13 and March 30. SEAL said attackers either pay the ad platform directly, compromise legitimate advertiser accounts, or outbid legitimate exchanges to secure top placement in sponsored results.

Security firms have documented related malvertising campaigns that relied on poisoned AI chat results and paid social ads. In some cases, attackers combined search ads with manipulated chat results to push macOS malware to users, and paid ads on social platforms have directed users to cloned download pages that delivered credential- and crypto-stealing malware.

Google places sponsored links above organic results, increasing the visibility of fraudulent ads. Security groups urged ad platforms and crypto protocols to improve detection and speed up removal of fraudulent ads. Users are advised to verify domain names carefully, confirm links through official protocol channels, and avoid approving wallet transactions from unfamiliar pages.

You might also like: How to recover stolen crypto