A phishing campaign that used fake Google search advertisements to impersonate Uniswap has drained more than $400,000 from crypto users, according to on-chain data and security researchers. The operation relied on sponsored ads that appeared above legitimate search results, which led victims to cloned websites that captured wallet approvals and transferred funds.

The incident adds to a growing list of ad-based crypto scams that exploit search engine visibility rather than technical vulnerabilities in protocols themselves.

Wallet data exposes scale of the attack

The scheme came to light after on-chain analyst “b-block” identified wallet addresses tied to the activity. The addresses held around 146 ETH at the time of discovery, valued at roughly $306,000 based on Etherscan data. The total amount stolen across victims exceeded $400,000, based on estimates shared by researchers.

The attacker-controlled wallets showed multiple incoming transactions that aligned with phishing patterns. Funds moved quickly after users approved transactions, which made recovery difficult.

The phishing campaign relied on Google Ads placements that mimicked official Uniswap links. These ads appeared at the top of search results and redirected users to nearly identical copies of the real interface.

Stacy Muur, founder of Web3 marketing agency Green Dots, said the ads ranked prominently and often displaced legitimate results. She shared a screenshot of a fake sponsored listing and criticized Google’s response to recurring crypto phishing incidents.

Victims who clicked these ads landed on cloned websites designed to replicate the Uniswap interface. The pages prompted users to connect wallets and approve transactions. Once approval was granted, attackers gained direct access to funds without requiring private keys.

How the phishing flow drained user wallets

Security researchers described a consistent attack pattern across these campaigns. Users arrived on a fake site, connected their wallet, and interacted with what appeared to be a normal transaction request. In reality, the request granted permissions to malicious smart contracts.

These approvals enabled attackers to transfer tokens or NFTs without further user action. Scam Sniffer previously documented a similar case in July, where a DeFi user lost more than $1.23 million in Uniswap NFTs after signing a malicious transaction promoted through Google Ads.

Attackers have refined these techniques over time. Many phishing sites now use Punycode domains and visual clones that closely match official platforms. This reduces suspicion and increases the likelihood of user interaction.

Security groups track surge in ad-based phishing

Blockchain security organizations have tracked a rise in phishing campaigns tied to search advertising. DeFiLlama identified fake Google ads as one of the most common entry points for crypto phishing attacks.

The Security Alliance (SEAL) reported a “significant uptick” in phishing activity linked to Google Search ads earlier this year. According to SEAL, attackers either purchase ads directly or compromise legitimate advertiser accounts to distribute malicious links.

The group said threat actors outbid legitimate crypto companies to secure top placement in sponsored results. This tactic ensures visibility at the moment users search for platforms like Uniswap or Aave.

SEAL reported that it blocked more than 356 malicious ad links over the past year. The organization also estimated that phishing attacks tied to Google ads stole about $1.27 million between March 13 and March 30 alone.

Evasion tactics complicate detection

Researchers noted that attackers deploy technical measures to avoid detection by automated systems. These include hidden iframes and secondary payloads that remain invisible during standard ad reviews.

Users often see legitimate-looking URLs while malicious scripts operate in the background. Traffic from these sites routes through attacker-controlled servers, which intercept transaction approvals in real time.

PeckShield Alert flagged another phishing campaign in August that used fake Aave advertisements in Google search results.

The pattern matched earlier Uniswap-related attacks, with users prompted to approve transactions that granted wallet access.

Persistent threat across crypto platforms

The latest Uniswap-related incident shows that phishing remains a major risk vector in crypto, especially when combined with trusted platforms like Google Search. Attackers focus on user behavior rather than protocol weaknesses, which makes prevention more dependent on awareness than code fixes.

Security groups continue to warn that these campaigns remain active. Reports from affected users continue to surface, which indicates that the infrastructure behind such scams has not been dismantled.

The reliance on paid ads as a distribution channel raises ongoing questions about platform responsibility and enforcement. Crypto users face a familiar challenge: distinguishing legitimate interfaces from convincing replicas in high-risk environments.

DeFi Attack Hits Echo Protocol, $870K Extracted | HODL FM NEWS
The Echo Protocol exploit led to a $77 million fake eBTC mint, with $870K extracted via Curvance. The attack was linked to a compromised admin key on Monad.
hodl-post-imageHODL FM News: The Wildest Ride in the Crypto MarketGunel Ismayilova
hodl-post-image

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that, despite the nature of much of the material created and hosted on this website, HODL FM operates as a media and informational platform, not a provider of financial advisory services. The opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice, HODL FM strongly recommends contacting a qualified industry professional.