Verify a decision

{"actor":"system:backfill","investigation_id":"58625252-4783-49c8-bbb5-d44243a2b444","kind":"publish","page_slug":"uniswap-google-ad-phishing-campaign-may-2026","published_at":"2026-05-26T18:35:58.816Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Uniswap Google Ad Phishing Campaign (May 2026)","sections":[{"content":"Beginning at least as early as March 2026, attackers began running an elevated volume of fake Google Search sponsored advertisements impersonating the Uniswap protocol. The advertisements appeared at the top of search results for queries related to Uniswap, outbidding legitimate crypto platforms for ad placement. Clicking the sponsored link redirected victims to convincing clones of the Uniswap interface. On May 25, 2026, on-chain analyst b_block_oficial posted a public warning on X (formerly Twitter) identifying two attacker-controlled wallets that had received funds drained from victims. The campaign was subsequently covered by multiple crypto media outlets on May 26, 2026. As of that date, the campaign was reported to be active and ongoing.","heading":"Campaign Overview","severity":"critical","sources":[{"credibility":2,"name":"Fake Google Ads Target Uniswap Users in $400K Crypto Scam — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/26/fake-google-ads-target-uniswap-users-in-400k-crypto-scam/"},{"credibility":2,"name":"Scammers steal over $400K through fake Uniswap ads on Google Search — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/scammers-steal-400k-fake-uniswap-google-ads/"},{"credibility":2,"name":"Scammers make $400K through fake Uniswap ads on Google — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/scammers-make-400k-through-fake-uniswap-ads-on-google"}]},{"content":"Blockchain data reveals that the two primary attacker wallets identified in the campaign held a combined approximately 146 ETH (valued at roughly $306,000 at the time of reporting), with total confirmed losses across the wider victim network exceeding $400,000. A separate, related incident — in which a single DeFi user lost over $1.23 million in Uniswap V3 Position NFTs on July 21, 2025 — has been cited in coverage as an example of the persistent threat posed by Google Ad phishing targeting Uniswap users. The Security Alliance (SEAL) documented that between March 13 and March 30, 2026 alone, the broader Google Ads phishing campaign (targeting multiple DeFi brands) resulted in confirmed tracked losses of $810,929 and an estimated total of $1,274,259 across attributed and unattributed incidents. Individual victim losses within that window included thefts of $235,000, $240,000, $179,000, $69,000, $75,000, $35,000, and $14,000.","heading":"Financial Impact","severity":"critical","sources":[{"credibility":1,"name":"Malicious Google Ads Targeting Crypto — Security Alliance (SEAL) Radar","type":"research","url":"https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/"},{"credibility":2,"name":"Fake Google Ads Target Uniswap Users in $400K Crypto Scam — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/26/fake-google-ads-target-uniswap-users-in-400k-crypto-scam/"},{"credibility":2,"name":"DeFi user loses $1.2M on fake Uniswap site — Crypto.news","type":"news_article","url":"https://crypto.news/defi-loses-1-2m-fake-uniswap-site-phishing-scams-flood-google-ads/"}]},{"content":"Two Ethereum wallet addresses have been publicly flagged as attacker-controlled accounts linked to the Uniswap Google Ad phishing campaign: 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb and 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2. These wallets were identified by on-chain analyst b_block_oficial and reported across multiple crypto news outlets. The phishing sites employed a nested iframe architecture: a primary benign frame passed Google's automated ad verification checks, while secondary hidden iframes loaded the malicious payload. Victim traffic was secretly routed through attacker-controlled proxy servers via man-in-the-middle interception of fetch and XMLHttpRequest calls. Fingerprinting and cloaking techniques were used to detect security researchers and redirect them to benign pages such as Wikipedia, while real victims received the drainer payload. Attackers also leveraged high-reputation Google-owned URLs (sites.google.com, docs.google.com, business.google.com) and Cloudflare Workers, Arweave/Irys decentralized storage, and Google Cloud Storage to host assets and evade detection. Domain-level deception included Punycode-style addresses using Cyrillic characters to visually mimic legitimate crypto domains.","heading":"Attacker Infrastructure and Identified Wallets","severity":"critical","sources":[{"credibility":1,"name":"Malicious Google Ads Targeting Crypto — Security Alliance (SEAL) Radar","type":"research","url":"https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/"},{"credibility":2,"name":"Fake Google Ads Target Uniswap Users in $400K Crypto Scam — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/26/fake-google-ads-target-uniswap-users-in-400k-crypto-scam/"},{"credibility":2,"name":"Fake Uniswap drainer $400K phishing — BeInCrypto","type":"news_article","url":"https://beincrypto.com/fake-uniswap-drainer-400k-phishing/"}]},{"content":"SEAL's research confirmed that parts of the malicious Google Ads phishing activity targeting Uniswap and other DeFi protocols were linked to two wallet-drainer-as-a-service tools: Inferno Drainer and Vanilla Drainer. Both services operate on a commission model, taking 20% of all assets successfully stolen from victims. Vanilla Drainer employs LZ-compression obfuscation via the JavaScript Function() constructor to conceal its malicious code. Inferno Drainer is a well-documented drainer service previously used in numerous DeFi phishing operations. The attack mechanism common to both tools involves tricking victims into approving malicious smart contracts, which then grant the attacker permission to transfer cryptocurrency and tokens from the victim's wallet without requiring private key theft. Once approval is granted, the drainer contracts execute transfers automatically.","heading":"Drainer Tools: Inferno Drainer and Vanilla Drainer","severity":"critical","sources":[{"credibility":1,"name":"Malicious Google Ads Targeting Crypto — Security Alliance (SEAL) Radar","type":"research","url":"https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/"},{"credibility":2,"name":"Fake Google Ads Target Uniswap Users in $400K Crypto Scam — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/26/fake-google-ads-target-uniswap-users-in-400k-crypto-scam/"}]},{"content":"According to SEAL's April 2026 report covering the March 13-30, 2026 window, Uniswap was the single most-targeted brand in the Google Ads phishing campaigns, accounting for 144 of 352 total blocked URLs (41% of the campaign). Other targeted protocols during the same period included Morpho Finance (110 sites, 31%), PancakeSwap (23 sites, 7%), Hyperliquid (17 sites, 5%), CoW Swap (17 sites, 5%), and smaller shares for Jupiter, Raydium, Ledger, Phantom, and LayerZero. The broader phishing infrastructure therefore extends beyond Uniswap, but Uniswap's brand was the dominant target. Uniswap founder Hayden Adams has publicly acknowledged years of ongoing phishing attempts against Uniswap users and, as of February 2026, criticized search platforms for failing to act decisively against scam ads.","heading":"Scope: Uniswap as Primary Target","severity":"high","sources":[{"credibility":1,"name":"Malicious Google Ads Targeting Crypto — Security Alliance (SEAL) Radar","type":"research","url":"https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/"},{"credibility":2,"name":"Scammers steal over $400K through fake Uniswap ads on Google Search — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/scammers-steal-400k-fake-uniswap-google-ads/"}]},{"content":"The Security Alliance (SEAL), a Web3 cybersecurity non-profit, confirmed that malicious Google advertising campaigns increased sharply in March 2026. Between March 13 and March 30, 2026, SEAL blocked over 356 fraudulent advertisement URLs through the Eth-Phishing-Detect blocklist. SEAL noted that attackers monitor the blocklist in near-real-time: when SEAL blocks a URL, the attacker backend detects this immediately and relaunches the campaign with a fresh advertisement and new landing page URL. SEAL's report described ads as going live and finding their first victim within minutes of launch. Google suspended the compromised advertiser accounts identified in SEAL's report, including accounts belonging to Adolfo Ariel Castillo Vergara (84 campaigns), Apple Inc. (83 campaigns), and AD Taxi (69 campaigns), all of which had been hijacked by attackers to lend legitimacy to the fraudulent ads. SEAL formally advised all cryptocurrency users to avoid using Google Search to navigate to cryptocurrency applications and instead use bookmarked URLs or trusted aggregators such as DeFi Llama's search engine.","heading":"Security Alliance (SEAL) Response","severity":"high","sources":[{"credibility":1,"name":"Malicious Google Ads Targeting Crypto — Security Alliance (SEAL) Radar","type":"research","url":"https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/"},{"credibility":2,"name":"Google Ad Scammers Drain Over $400K from Crypto Users — Blockonomi","type":"news_article","url":"https://blockonomi.com/google-ad-scammers-drain-over-400k-from-crypto-users-through-fake-uniswap-sites/"}]},{"content":"A separate but related incident cited in campaign coverage involves a single DeFi user who lost over $1.23 million in Uniswap V3 Position NFTs on July 21, 2025. The victim accessed a phishing website impersonating Uniswap and signed a malicious transaction containing code that automatically approved all further asset transfers. This granted attackers access to the victim's entire Uniswap V3 liquidity position, represented as NFTs. The incident predates the May 2026 public disclosure but illustrates the long-standing nature of the threat vector. Specific wallet addresses and transaction hashes for this incident were not disclosed in available sources. A separate May 2026 victim identified on social media as @ika_xbt, described as a Polymarket trader, was reported to have lost a mid-six-figure amount described as their entire net worth through a fake Uniswap Google ad. Protos reported reaching out to @ika_xbt for confirmation but had not received a response prior to publication.","heading":"Notable Victim: $1.23 Million Uniswap V3 Position NFT Theft","severity":"high","sources":[{"credibility":2,"name":"Investor Loses $1.23M in Uniswap V3 NFTs to Phishing Scam — Phemex News","type":"news_article","url":"https://phemex.com/news/article/investor-loses-123m-in-uniswap-v3-nfts-to-phishing-scam-16323"},{"credibility":2,"name":"DeFi user loses $1.2M on fake Uniswap site — Crypto.news","type":"news_article","url":"https://crypto.news/defi-loses-1-2m-fake-uniswap-site-phishing-scams-flood-google-ads/"},{"credibility":2,"name":"Fake Uniswap phishing ad on Google steals trader's life savings — Protos","type":"news_article","url":"https://protos.com/fake-uniswap-phishing-ad-on-google-steals-traders-life-savings/"}]},{"content":"Attackers allegedly exploit Google's ad platform in two ways: directly purchasing sponsored placements impersonating legitimate crypto protocols, and hijacking existing high-reputation Google advertiser accounts to publish malicious ads under trusted identities. The use of hijacked accounts (including one account attributed to Apple Inc.) allowed fraudulent ads to bypass Google's automated verification systems. Stacy Muur, founder of Green Dots Web3 marketing agency, stated publicly: 'The fact that Google has allowed this problem to persist for years while counterfeit links continue appearing above legitimate ones and users continue losing funds is absolutely unacceptable.' Google has not issued a public statement specifically addressing the May 2026 Uniswap campaign. Advertiser accounts identified in SEAL's March-April 2026 report were suspended by Google following the report's publication.","heading":"Google's Role and Advertiser Account Hijacking","severity":"medium","sources":[{"credibility":1,"name":"Malicious Google Ads Targeting Crypto — Security Alliance (SEAL) Radar","type":"research","url":"https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/"},{"credibility":2,"name":"Google Ad Scammers Drain Over $400K from Crypto Users — Blockonomi","type":"news_article","url":"https://blockonomi.com/google-ad-scammers-drain-over-400k-from-crypto-users-through-fake-uniswap-sites/"}]},{"content":"Security researchers and analysts have issued the following recommendations in response to this campaign: (1) Do not use Google Search to navigate to DeFi protocols — use bookmarked URLs exclusively. (2) Verify the exact URL in the browser address bar before connecting a wallet or signing any transaction. (3) Avoid clicking Google sponsored (ad) results for any cryptocurrency application. (4) Revoke unused token approvals regularly using tools such as Revoke.cash. (5) Use trusted URL aggregators such as DeFi Llama's search engine as an alternative to Google Search for finding DeFi protocol addresses. The irreversibility of blockchain transactions means victims have no chargeback mechanism and cannot recover funds through customer service channels.","heading":"User Protection Guidance","severity":"medium","sources":[{"credibility":1,"name":"Malicious Google Ads Targeting Crypto — Security Alliance (SEAL) Radar","type":"research","url":"https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/"},{"credibility":2,"name":"Fake Uniswap drainer $400K phishing — BeInCrypto","type":"news_article","url":"https://beincrypto.com/fake-uniswap-drainer-400k-phishing/"}]}],"sources_used":[{"credibility":1,"name":"Malicious Google Ads Targeting Crypto — Security Alliance (SEAL) Radar","type":"research","url":"https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/"},{"credibility":2,"name":"Fake Google Ads Target Uniswap Users in $400K Crypto Scam — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/26/fake-google-ads-target-uniswap-users-in-400k-crypto-scam/"},{"credibility":2,"name":"Scammers make $400K through fake Uniswap ads on Google — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/scammers-make-400k-through-fake-uniswap-ads-on-google"},{"credibility":2,"name":"Fake Uniswap drainer $400K phishing — BeInCrypto","type":"news_article","url":"https://beincrypto.com/fake-uniswap-drainer-400k-phishing/"},{"credibility":2,"name":"Scammers steal over $400K through fake Uniswap ads on Google Search — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/scammers-steal-400k-fake-uniswap-google-ads/"},{"credibility":2,"name":"Google Ad Scammers Drain Over $400K from Crypto Users — Blockonomi","type":"news_article","url":"https://blockonomi.com/google-ad-scammers-drain-over-400k-from-crypto-users-through-fake-uniswap-sites/"},{"credibility":2,"name":"Fake Uniswap phishing ad on Google steals trader's life savings — Protos","type":"news_article","url":"https://protos.com/fake-uniswap-phishing-ad-on-google-steals-traders-life-savings/"},{"credibility":2,"name":"Investor Loses $1.23M in Uniswap V3 NFTs to Phishing Scam — Phemex News","type":"news_article","url":"https://phemex.com/news/article/investor-loses-123m-in-uniswap-v3-nfts-to-phishing-scam-16323"},{"credibility":2,"name":"DeFi user loses $1.2M on fake Uniswap site — Crypto.news","type":"news_article","url":"https://crypto.news/defi-loses-1-2m-fake-uniswap-site-phishing-scams-flood-google-ads/"}],"summary":"An active phishing campaign exploiting Google Search sponsored advertisements to impersonate the Uniswap decentralized exchange was publicly exposed on May 25, 2026, by on-chain analyst b_block_oficial. Attackers operating two identified Ethereum wallets have allegedly stolen over $400,000 from multiple victims by deploying wallet-drainer malware services (Inferno Drainer and Vanilla Drainer), which siphon assets after victims approve malicious smart contracts on cloned Uniswap interfaces. The Security Alliance (SEAL) has confirmed blocking 356+ related fraudulent advertisement URLs and describes the broader Google Ads phishing trend as active and ongoing for more than a year.","timeline":[{"date":"2025-07-21","event":"A single DeFi user loses over $1.23 million in Uniswap V3 Position NFTs after signing a malicious transaction on a phishing site promoted via Google Ads.","source":"Phemex News / Crypto.news","source_url":"https://phemex.com/news/article/investor-loses-123m-in-uniswap-v3-nfts-to-phishing-scam-16323"},{"date":"2026-02-01","event":"Uniswap founder Hayden Adams publicly acknowledges years of ongoing phishing attempts targeting Uniswap users and criticizes search platforms for inaction on scam ads.","source":"Crypto Briefing","source_url":"https://cryptobriefing.com/scammers-steal-400k-fake-uniswap-google-ads/"},{"date":"2026-03-01","event":"Google Search fraudulent site impersonating Uniswap reported ranking at top of search results; SEAL documents a sharp increase in malicious Google advertising campaigns targeting crypto.","source":"BeInCrypto / SEAL Radar","source_url":"https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/"},{"date":"2026-03-13","event":"Start of SEAL's tracked window: malicious Google Ads campaign targeting Uniswap, Morpho Finance, PancakeSwap, and others begins intensive phase.","source":"Security Alliance (SEAL) Radar","source_url":"https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/"},{"date":"2026-03-30","event":"End of SEAL's tracked window: 356+ fraudulent URLs blocked; $810,929 in confirmed tracked losses; estimated total $1,274,259 stolen across the campaign during this period.","source":"Security Alliance (SEAL) Radar","source_url":"https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/"},{"date":"2026-04-21","event":"SEAL publishes detailed report on malicious Google Ads targeting crypto, naming Uniswap as the primary target (41% of 352 blocked URLs), identifying Inferno Drainer and Vanilla Drainer as the tools used, and documenting compromised advertiser accounts.","source":"Security Alliance (SEAL) Radar","source_url":"https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/"},{"date":"2026-05-25","event":"On-chain analyst b_block_oficial publicly exposes the active Uniswap Google Ad phishing campaign on X, identifying attacker wallets 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb and 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2 holding approximately 146 ETH (~$306,000).","source":"CryptoTimes / BeInCrypto","source_url":"https://www.cryptotimes.io/2026/05/26/fake-google-ads-target-uniswap-users-in-400k-crypto-scam/"},{"date":"2026-05-26","event":"Multiple crypto media outlets report on the campaign; total losses confirmed at over $400,000; SEAL's blocking of 356+ fraudulent ad URLs publicly noted; campaign described as active and ongoing.","source":"CoinTelegraph / CryptoTimes / BeInCrypto / Crypto Briefing","source_url":"https://cointelegraph.com/news/scammers-make-400k-through-fake-uniswap-ads-on-google"}]},"v":1}