Security researchers say Google’s ad platform has been weaponized for over a year, with threat actors running fake sponsored links that funnel unsuspecting crypto users to phishing sites designed to drain their wallets.
How The Attack Works
The scheme targets people searching for Uniswap, the decentralized exchange, by placing fraudulent ads above the legitimate site in Google’s sponsored results section.
Attackers either purchase ad space outright or break into existing advertiser accounts to run the fake listings, then outbid the real protocol to secure the top position.
What makes the ads hard to catch is how they are built. The phishing links use URLs that look authentic, while a hidden secondary element quietly loads the malicious code — invisible to Google’s automated review systems.
Victims who click through land on convincing replicas of the real Uniswap platform, with all their network activity routed silently through attacker-controlled servers.
Community alert:
A website impersonating Uniswap is draining funds from multiple wallets.
The scammers are currently holding at least ~$400,000.
0x37925684BA178821b4436E06e67f5dBD6cfA49Bb
0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2Please only use official links, and… pic.twitter.com/JikqftTVHY
— b-block (@b_block_oficial) May 25, 2026
On-chain analyst “b-block” raised the alarm on Monday after tracing stolen funds to addresses linked to the fake Uniswap site.
At the time of writing, two flagged wallets held a combined 146 ETH, valued at roughly $306,000. The total haul is estimated at at least $400,000.
A Year Of Losses
The nonprofit Security Alliance, known as SEAL, has been tracking the broader pattern. According to the group, there was a sharp rise in this type of phishing activity in March, with $1.27 million stolen between March 13 and 30 alone.
SEAL said it blocked more than 356 malicious ad links, describing that number as typical of weekly attacker activity sustained for more than a year — and said the pace has not slowed.
Stacy Muur, founder of Web3 marketing agency Green Dots, shared a screenshot of one such sponsored result and said scammers had used it to steal funds from users. She called out Google directly, saying the company has let the problem persist for years while users continue to lose money.
DeFiLlama, a crypto data platform, echoed the concern, calling fake Google ads a common and recurring source of phishing attacks targeting the crypto community.
Two scammers have already stolen ~$400,000 from users through a phishing @Uniswap ad on Google.
It’s insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained.
This is the first result that popped out… https://t.co/Ov488s9DIl pic.twitter.com/qStRGq8qTE
— Stacy Muur (@stacy_muur) May 25, 2026
The Threat Spreads Beyond Google
The Uniswap case is part of a wider pattern hitting multiple platforms and audiences. Reports indicate that in early May, attackers were abusing both Google Ads and shared chat links from AI tools to push malware targeting Mac users in an active campaign.
Meanwhile, reports note that Facebook has seen a similar wave of fake paid ads, with scammers mimicking official Microsoft promotions and directing users to counterfeit Windows 11 download pages loaded with credential-stealing malware.
SEAL said it continues to receive reports from victims and that the campaign shows no sign of stopping.
Featured image from Unsplash, chart from TradingView
Editorial Process for bitcoinist is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
Be the first to comment