Fake Uniswap Google Ads Help Scammers Steal $400K

A blockchain analyst has warned that malicious phishing ads impersonating Uniswap have appeared on Google Search, allowing attackers to steal at least $400,000.

Scammers have been using Google to run malicious phishing advertisements impersonating Uniswap, reportedly allowing the attackers to steal at least $400,000.

The on-chain analyst “b-block” posted on X on Monday that a website impersonating decentralized finance exchange Uniswap was draining funds from multiple wallets, with at least $400,000 reportedly being held by the scammers.

Stacy Muur, founder of Web3 marketing agency Green Dots, said the scammers had stolen funds from users through a phishing ad on Google that impersonated Uniswap and shared a screenshot of a sponsored result from the search engine.

“It’s insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained,” she said.

The two flagged addresses held a combined 146 Ether worth around $306,000 at the time of writing, according to Etherscan.

DeFiLlama said that “fake ads on Google are a common source of phishing attacks.” The crypto non-profit group Security Alliance reported in April that a “significant uptick” in phishing activity on Google Search had been observed in March.

Google Ad Scams Fuel Rising Crypto Phishing Attacks

Security Alliance said attackers either pay Google or compromise legitimate advertiser accounts to run convincing fake ads impersonating popular crypto protocols and lure users. Legitimate crypto exchanges and protocols are often outbid by threat actors to secure a higher position within the “Sponsored results” section on Google Search.

Security Alliance blocked more than 356 malicious advertising links, a figure it said “represents a steady volume of attacker-deployed Google Ads each week for more than a year.” It added, “The campaign is not slowing down, and we are receiving more reports from affected users.”

The phishing ads used legitimate-looking URLs to bypass Google’s automated checks, while a hidden secondary iframe was used to load the malicious payload, which also remained invisible to Google’s detection systems.

Victims are directed to convincing clones of legitimate crypto apps, with all network traffic secretly routed through attacker-controlled servers, Security Alliance explained, reporting that a total of $1.27 million was stolen between March 13 and 30.

In early May, attackers were reported to be abusing Google Ads and legitimate shared chats from AI chatbot Claude in an active “malvertising” campaign targeting Mac users.

Facebook is also considered a major hotspot for fake ads and scams, according to Malwarebytes, which reported in February that paid ads resembling official Microsoft promotions were being run by scammers.

Victims were redirected to near-perfect clones of the Windows 11 download page, where malware designed to steal crypto assets and credentials was deployed.