Uniswap phishing campaign on Google ads nets attackers over $400k

by · crypto.news

Crypto users have continued losing funds to phishing campaigns promoted through Google Ads, with attackers now using fake Uniswap websites to steal hundreds of thousands of dollars from unsuspecting wallet holders.

Summary

  • Fake Uniswap ads on Google search have reportedly helped scammers steal at least $400,000 from crypto users.
  • Security groups said attackers continue using sponsored Google ads and cloned crypto websites to drain connected wallets.
  • SEAL reported that phishing campaigns tied to malicious Google advertisements stole more than $1.27 million within weeks earlier this year.

According to on-chain analyst “b-block,” a malicious website impersonating decentralized exchange Uniswap drained multiple wallets and accumulated at least $400,000 in stolen assets.

One of the attacker’s wallet addresses with drained funds. Source: b-block on X.

The analyst shared two wallet addresses tied to the operation, which together held 146 ETH worth roughly $306,000 at the time of reporting, based on Etherscan data.

Meanwhile, Stacy Muur, founder of Web3 marketing agency Green Dots, said the phishing operation relied on sponsored Google search advertisements designed to appear above legitimate Uniswap links. 

Muur shared a screenshot showing the fake sponsored result and criticized Google for failing to stop such campaigns despite repeated incidents targeting crypto users.

Google Ads has repeatedly appeared in similar phishing cases over the past year. As previously reported by crypto.news in July, Scam Sniffer reported that a DeFi user lost more than $1.23 million in Uniswap NFTs after signing a malicious transaction on a fake website promoted through Google Ads. 

According to Scam Sniffer, the attackers used a phishing page that closely copied Uniswap’s interface and tricked the victim into approving unlimited asset transfers through a malicious smart contract.

OKX’s X Layer lets users build their own crypto marketsOKX’s X Layer launched Exchange OS, letting builders deploy spot, perp, and outcome markets as a 2026 World Cup test venue arrives in June.Olivia Stephanie, Olivia Stephanie, 26 May 2026

At the same time, blockchain security firms have warned that attackers increasingly rely on Punycode domains and cloned interfaces that look nearly identical to legitimate crypto platforms. Once users connect wallets and approve transactions, scammers gain direct access to assets without needing private keys.

Security groups warn phishing attacks are increasing

Meanwhile, decentralized finance analytics platform DeFiLlama said fake Google advertisements remain one of the most common entry points for phishing attacks in crypto. 

Previously, the Security Alliance, also known as SEAL, reported that phishing activity tied to Google Search advertisements saw a “significant uptick” during March.

According to SEAL, attackers either purchase Google advertisements directly or compromise legitimate advertiser accounts to distribute fake links impersonating major crypto protocols and exchanges. The group said malicious actors routinely outbid legitimate companies so their phishing pages appear at the top of sponsored search results.

Fake Uniswap ad appearing on Google search. Source: SEAL.

SEAL said it blocked more than 356 malicious advertisement links over the past year and warned the campaign remained active with continued reports from affected users. The organization also stated that attackers use hidden iframes and secondary payloads that remain invisible to Google’s automated detection systems while showing users legitimate-looking URLs.

Victims who enter these fake websites often see nearly identical copies of real crypto applications. 

According to SEAL, all traffic from those cloned platforms gets routed through attacker-controlled servers that can intercept approvals and drain wallets. The group estimated that phishing attacks tied to Google ads stole roughly $1.27 million between March 13 and March 30 alone.

More recently, blockchain security firm PeckShield Alert warned about another phishing campaign involving fake Aave advertisements placed at the top of Google search results. 

As previously reported by crypto.news, the malicious websites prompted users to approve transactions that handed wallet access directly to attackers. Scam Sniffer issued a similar warning in June after spotting fake Aave ads ranking prominently in Google searches.

Render breaks above $2.25 as active wallets hit 12-week highRender rose 13.16% to $2.25 as active wallets hit a 12-week high, while derivatives volume jumped 126.52% and open interest rose on May 26.Olivia Stephanie, Olivia Stephanie, 26 May 2026