Verify a decision

{"actor":"system:backfill","investigation_id":"693196ec-705e-492f-a85f-567c036bc4f2","kind":"publish","page_slug":"fake-uniswap-v4-airdrop-phishing-network-2026","published_at":"2026-06-07T23:30:05.460Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Fake Uniswap V4 Airdrop Phishing Network (2026)","sections":[{"content":"The Fake Uniswap V4 Airdrop Phishing Network is a term used to describe a sustained, distributed criminal campaign exploiting public excitement around the Uniswap V4 protocol launch. Uniswap, the largest decentralized exchange by volume, has been the most impersonated brand in DeFi phishing: the Security Alliance (SEAL) identified Uniswap as accounting for approximately 41% of all malicious phishing sites targeting DeFi users in their October 2025 State of Drainers report, followed by Morpho Finance at 31%. Threat actors time campaigns to coincide with genuine Uniswap protocol announcements to exploit user anticipation. Uniswap Labs has issued official warnings stating it does not conduct unsolicited airdrops and that any claim requiring wallet approval from an unexpected source should be treated as a scam.","heading":"Overview and Background","severity":"critical","sources":[{"credibility":2,"name":"Security Alliance: The State of Drainers Vol. 1","type":"research","url":"https://radar.securityalliance.org/2025-10-drainers-vol-1/"},{"credibility":1,"name":"Uniswap Labs: Airdropped NFT or Token Scams (official support page)","type":"official","url":"https://support.uniswap.org/hc/en-us/articles/17523020772365-Airdropped-NFT-or-Token-scams"},{"credibility":1,"name":"Uniswap Labs: Malicious NFT Contract Scams (official support page)","type":"official","url":"https://support.uniswap.org/hc/en-us/articles/17523009693197-Malicious-NFT-contract-scams"}]},{"content":"The core exploitation technique is approval phishing. Victims are directed to phishing sites that mimic the Uniswap interface and are presented with a message claiming eligibility for a V4 launch airdrop. When a user attempts to check eligibility or claim the alleged airdrop, they are prompted to connect their wallet and sign a transaction. The signed transaction is not a routine DeFi interaction but a malicious approval — typically exploiting the ERC-20 'approve' or 'setApprovalForAll' (ERC-721/1155) functions — granting an attacker-controlled address unlimited spending rights over the victim's token holdings. Once approved, an automated bot detects the signed approval and drains the wallet within seconds, converting assets to ETH and routing funds through mixers such as Tornado Cash. The 2022 BleepingComputer-documented incident illustrates the mechanics precisely: attackers airdropped a fraudulent ERC-20 token to 73,399 UNI holders, used a masked 'setApprovalForAll' call disguised as a redemption step, and drained 7,574 ETH (approximately $8 million) to a single address, which was then moved to Tornado Cash. Chainalysis research estimates the broader approval-phishing technique has enabled at least $1 billion in losses since May 2021, with a revised figure of over $2.7 billion after additional illicit addresses were identified.","heading":"Attack Mechanics: Approval Phishing via Fake Airdrops","severity":"critical","sources":[{"credibility":2,"name":"BleepingComputer: $8 million stolen in large-scale Uniswap airdrop phishing attack","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/8-million-stolen-in-large-scale-uniswap-airdrop-phishing-attack/"},{"credibility":2,"name":"Chainalysis: Crypto Crime — Targeted Approval Phishing Scams On the Rise","type":"research","url":"https://www.chainalysis.com/blog/approval-phishing-cryptocurrency-scams-2023/"},{"credibility":2,"name":"CryptoPotato: Chainalysis Reveals $1 Billion in Losses to Approval Phishing Since May 2021","type":"news_article","url":"https://cryptopotato.com/chainalysis-reveals-1-billion-in-losses-to-approval-phishing-since-may-2021-report/"},{"credibility":2,"name":"Protos: This Uniswap airdrop promised $2K — instead it stole $8M","type":"news_article","url":"https://protos.com/this-uniswap-airdrop-promised-2k-instead-it-stole-8m/"}]},{"content":"The phishing network operates primarily through drainer-as-a-service (DaaS) toolkits that lower the technical barrier for affiliate actors. Named families active in Uniswap impersonation campaigns include Inferno Drainer, Vanilla Drainer, and AngelFerno. Inferno Drainer, despite an announced shutdown in November 2023, was found by Check Point Research to have remained fully operational through 2025, with smart contracts deployed in September 2023 still active and more than 30,000 new victim wallets identified between September 2024 and March 2025. Inferno Drainer previously impersonated Uniswap among over 100 other crypto brands, stealing over $80 million. The SEAL State of Drainers Vol. 1 (October 2025) documented four primary drainer families — Inferno, Rublevka, Eleven, and Vanilla — as providing automated phishing infrastructure to affiliates through a typical 80/20 revenue split (affiliate retains 80%). AngelFerno, identified by Protos and CoinGabbar in February–May 2026 incidents, is a scam-as-a-service script used specifically against DeFi users and has appeared across multiple domains on GitHub phishing blocklists. Scam Sniffer reported that wallet drainer malware collectively stole approximately $494 million from over 332,000 wallet addresses in 2024, a 67% year-over-year increase in total value stolen. Inferno Drainer's market share remained steady at 40–45% through much of 2024.","heading":"Drainer-as-a-Service Infrastructure","severity":"critical","sources":[{"credibility":2,"name":"Security Alliance: The State of Drainers Vol. 1","type":"research","url":"https://radar.securityalliance.org/2025-10-drainers-vol-1/"},{"credibility":2,"name":"Check Point Research: Inferno Drainer Reloaded — Deep Dive into the Return of the Most Sophisticated Crypto Drainer","type":"research","url":"https://research.checkpoint.com/2025/inferno-drainer-reloaded-deep-dive-into-the-return-of-the-most-sophisticated-crypto-drainer/"},{"credibility":2,"name":"Infosecurity Magazine: Scammers Drain $500m from Crypto Wallets in a Year","type":"news_article","url":"https://www.infosecurity-magazine.com/news/scammers-drain-500m-crypto-wallets/"},{"credibility":2,"name":"SecurityWeek: Wallet Drainer Malware Used to Steal $500 Million in Cryptocurrency in 2024","type":"news_article","url":"https://www.securityweek.com/wallet-drainer-malware-used-to-steal-500-million-in-cryptocurrency-in-2024/"},{"credibility":2,"name":"Protos: Fake Uniswap phishing ad on Google steals trader's life savings","type":"news_article","url":"https://protos.com/fake-uniswap-phishing-ad-on-google-steals-traders-life-savings/"},{"credibility":2,"name":"Infosecurity Magazine: Inferno Drainer Spoofs Over 100 Crypto Brands to Steal $80m+","type":"news_article","url":"https://www.infosecurity-magazine.com/news/inferno-drainer-spoofs-100-crypto/"}]},{"content":"In February 2024, a threat actor posing as a Uniswap Foundation representative executed a social engineering campaign that successfully induced several prominent crypto news outlets to publish a fabricated press release claiming a $10 million UNI airdrop tied to the Uniswap V4 launch. The attacker used one-time-view messaging apps to limit forensic traceability, provided forged email screenshots to establish credibility, and embedded real Uniswap.org links initially — then swapped those links to redirect to a phishing site after the legitimate Uniswap announcement was made. The company behind the scam was reported by CryptoSlate as registered in the United Kingdom, though no further identification was confirmed. CryptoSlate declined coverage; other outlets published the piece. No financial losses from readers were confirmed in that specific February 2024 incident. A separate 2025 report noted that a clone of Uniswap V4 alleged to have tricked users into providing liquidity to fake pools with total alleged losses exceeding $12 million, though this figure appears in lower-credibility aggregator sources and has not been independently confirmed by a Tier 1 or Tier 2 source.","heading":"Social Engineering: Media Manipulation and V4 Brand Exploitation","severity":"high","sources":[{"credibility":2,"name":"CryptoSlate: Fake Uniswap $10 million airdrop reported as several prominent crypto media scammed","type":"news_article","url":"https://cryptoslate.com/fake-uniswap-10-million-airdrop-reported-as-several-prominent-crypto-media-scammed/"},{"credibility":2,"name":"CryptoTimes: Fake $10M Uniswap Airdrop Scam Targets Crypto Media","type":"news_article","url":"https://www.cryptotimes.io/2024/02/16/fake-10m-uniswap-airdrop-scam-tragets-crypto-media/"},{"credibility":2,"name":"CryptoNews: Crypto Media Houses Taken In By Fake $10M Uniswap Airdrop Scam","type":"news_article","url":"https://cryptonews.com/news/crypto-media-houses-taken-in-by-fake-10m-uniswap-airdrop-scam/"},{"credibility":2,"name":"DailyCoin: Scammers Launch Fraudulent Uniswap Airdrop Targeting DeFi Users","type":"news_article","url":"https://dailycoin.com/scam-uniswap-airdrop-targeting-defi-users-how-to-stay-safe/"}]},{"content":"A major vector for fake Uniswap V4 airdrop campaigns in 2025–2026 is fraudulent Google search advertisements. Attackers purchase sponsored listings that appear above legitimate Uniswap organic results. The Security Alliance (SEAL) documented that phishing campaigns running through malicious Google Ads stole more than $1.27 million between March 13 and 30, 2026 alone, and SEAL reported blocking 356 or more malicious ad URLs since March 2026. On May 25, 2026, on-chain analyst b-block publicly identified a campaign that had stolen at least $400,000; two attacker wallet addresses held approximately 146 ETH (around $306,000) at time of reporting, verified on Etherscan. On approximately February 20, 2026, a Polymarket trader identified on X as @ika_xbt lost a mid-six-figure sum described as their entire net worth after clicking a fraudulent Google Ad for Uniswap; the AngelFerno drainer was attributed to that attack. Uniswap's founder publicly stated, 'These scams are horrible, we've been fighting them for years,' and described the fraudulent ad ecosystem as 'the ad economy that needs to go.' To bypass Google's automated ad review, campaigns employ cloaking platforms. The Cloud Security Alliance documented '1Campaign,' a cloud-based cloaking tool maintained for over three years by an operator using the handle DuppyMeister, which filters visitor traffic in real time: security researchers, automated scanners, and cloud provider IP ranges receive a benign 'white page,' while identified victims receive the malicious phishing or drainer content. A related July 2025 incident saw a DeFi user lose $1.2 million through a nearly identical Uniswap Google Ad phishing scheme.","heading":"Paid Search Ad Exploitation and Cloaking","severity":"critical","sources":[{"credibility":2,"name":"CoinGabbar: Fake Uniswap Google Ads Steal $400K From Crypto Users","type":"news_article","url":"https://www.coingabbar.com/en/crypto-currency-news/fake-uniswap-google-ads-400k-stolen-phishing-2026"},{"credibility":2,"name":"Protos: Fake Uniswap phishing ad on Google steals trader's life savings","type":"news_article","url":"https://protos.com/fake-uniswap-phishing-ad-on-google-steals-traders-life-savings/"},{"credibility":2,"name":"Cloud Security Alliance: 1Campaign — A New Cloaking Platform Helping Attackers Abuse Google Ads","type":"research","url":"https://cloudsecurityalliance.org/blog/2026/03/23/1campaign-a-new-cloaking-platform-helping-attackers-abuse-google-ads"},{"credibility":2,"name":"BEInCrypto: Fake Uniswap Site Drains $400,000 From Multiple Wallets, Investigator Warns","type":"news_article","url":"https://beincrypto.com/fake-uniswap-drainer-400k-phishing/"},{"credibility":2,"name":"GBHackers: Malicious Google Ads Hit Crypto Users With Wallet Drainers","type":"news_article","url":"https://gbhackers.com/google-ads-hit-crypto-users/"}]},{"content":"The phishing network employs multiple technical evasion layers documented by SEAL and Check Point Research. Domain spoofing uses Punycode/Cyrillic character substitution to create visually indistinguishable URLs (e.g., a Cyrillic 'a' replacing a Latin 'a' in 'uniswap'). Identified malicious domains include app.uniswapweb-launch[.]org and airdrop-uniswapp[.]com, served from IP 172.67.208.161 (Cloudflare). Phishing pages render near-pixel-perfect copies of the Uniswap interface and load token images from legitimate sources such as CoinGecko and Trust Wallet to reinforce authenticity. SEAL documented multi-level fetch chains that split malicious JavaScript across multiple trusted content delivery networks (cdpn.io, storage.googleapis.com, cdn.jsdelivr.net, GitHub) to evade static analysis. Inferno Drainer affiliates encrypt command-and-control server addresses using four layers of AES encryption and store the encrypted payload on the Binance Smart Chain, while backend servers run through Cloudflare Workers. Single-use and short-lived smart contracts are deployed to avoid wallet-level blacklists. Fingerprinting techniques block traffic from security vendor IP ranges, cloud providers (Microsoft, Google, Tencent), and research sandboxes in real time.","heading":"Technical Infrastructure and Evasion","severity":"high","sources":[{"credibility":2,"name":"Security Alliance: The State of Drainers Vol. 1","type":"research","url":"https://radar.securityalliance.org/2025-10-drainers-vol-1/"},{"credibility":2,"name":"Check Point Research: Inferno Drainer Reloaded","type":"research","url":"https://research.checkpoint.com/2025/inferno-drainer-reloaded-deep-dive-into-the-return-of-the-most-sophisticated-crypto-drainer/"},{"credibility":3,"name":"PCRisk: Uniswap (UNI) Airdrop Scam — Removal and Recovery Steps","type":"other","url":"https://www.pcrisk.com/removal-guides/31640-uniswap-uni-airdrop-scam"},{"credibility":2,"name":"Cloud Security Alliance: 1Campaign Cloaking Platform","type":"research","url":"https://cloudsecurityalliance.org/blog/2026/03/23/1campaign-a-new-cloaking-platform-helping-attackers-abuse-google-ads"}]},{"content":"Verifiable loss figures attributable to Uniswap-brand airdrop phishing specifically include: the July 2022 attack ($8 million / 7,574 ETH from 73,399 targeted wallet holders); a July 2025 individual loss ($1.2 million via Uniswap Google Ad phishing); a February 2026 individual loss (mid-six figures via AngelFerno/Google Ad); and the May 2026 campaign ($400,000 confirmed, with SEAL attributing $1.27 million to the broader March 2026 Google Ads wave). The submission's claimed $500 million total is consistent with, but not directly traceable to, the Uniswap V4 airdrop network specifically. Scam Sniffer's January 2025 annual report attributed $494 million in wallet drainer losses across all DeFi impersonation phishing in 2024. Chainalysis estimated approval-phishing losses — the technique underpinning all fake-airdrop contract approval scams — at over $2.7 billion since May 2021 after revising an initial $1 billion estimate. The FBI's 2025 IC3 Annual Report recorded $11.4 billion in total cryptocurrency fraud losses in 2025, the highest figure since the IC3's founding, with phishing/spoofing as the most frequently reported crime type.","heading":"Financial Impact and Loss Attribution","severity":"high","sources":[{"credibility":2,"name":"SecurityWeek: Wallet Drainer Malware Used to Steal $500 Million in Cryptocurrency in 2024","type":"news_article","url":"https://www.securityweek.com/wallet-drainer-malware-used-to-steal-500-million-in-cryptocurrency-in-2024/"},{"credibility":2,"name":"Infosecurity Magazine: Scammers Drain $500m from Crypto Wallets in a Year","type":"news_article","url":"https://www.infosecurity-magazine.com/news/scammers-drain-500m-crypto-wallets/"},{"credibility":1,"name":"The Block: FBI says crypto-related fraud losses hit record $11.4 billion in 2025","type":"news_article","url":"https://www.theblock.co/post/397134/fbi-says-crypto-related-fraud-losses-hit-record-11-4-billion-in-2025-with-seniors-bearing-the-brunt"},{"credibility":1,"name":"FBI IC3 2025 Annual Report","type":"regulatory","url":"https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf"},{"credibility":2,"name":"Chainalysis: Crypto Crime — Targeted Approval Phishing Scams On the Rise","type":"research","url":"https://www.chainalysis.com/blog/approval-phishing-cryptocurrency-scams-2023/"},{"credibility":2,"name":"CoinGabbar: Fake Uniswap Google Ads Steal $400K From Crypto Users","type":"news_article","url":"https://www.coingabbar.com/en/crypto-currency-news/fake-uniswap-google-ads-400k-stolen-phishing-2026"},{"credibility":2,"name":"BleepingComputer: $8 million stolen in large-scale Uniswap airdrop phishing attack","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/8-million-stolen-in-large-scale-uniswap-airdrop-phishing-attack/"}]},{"content":"No law enforcement action specifically naming a 'Fake Uniswap V4 Airdrop Phishing Network' has been publicly filed as of June 2026. The broader approval-phishing ecosystem has attracted regulatory attention: the FBI's IC3 Annual Reports for 2024 and 2025 identify crypto phishing and investment fraud as top loss categories. SEAL, a nonprofit crypto security organization, has coordinated blocking of 356 or more malicious Google Ad URLs since March 2026 and launched a Verifiable Phishing Reports technology in partnership with MetaMask, WalletConnect, Backpack, and Phantom. In February 2026, Meta filed lawsuits in Brazil, China, and Vietnam against advertisers using cloaking to bypass ad review and sent cease-and-desist letters to eight marketing consultants openly advertising cloaking services. Google has been publicly criticized by ZachXBT and Uniswap's founder for failing to adequately prevent fraudulent crypto ads from appearing above legitimate results. No SEC, CFTC, or DOJ action specific to this phishing network has been identified.","heading":"Regulatory and Law Enforcement Response","severity":"medium","sources":[{"credibility":1,"name":"FBI IC3 2025 Annual Report","type":"regulatory","url":"https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf"},{"credibility":1,"name":"The Block: FBI says crypto-related fraud losses hit record $11.4 billion in 2025","type":"news_article","url":"https://www.theblock.co/post/397134/fbi-says-crypto-related-fraud-losses-hit-record-11-4-billion-in-2025-with-seniors-bearing-the-brunt"},{"credibility":2,"name":"Security Alliance: SEAL Launches Global Real-Time Phishing Defense Network","type":"official","url":"https://www.securityalliance.org/news/2025-10-phishing-defense-network"},{"credibility":2,"name":"Protos: Fake Uniswap phishing ad on Google steals trader's life savings","type":"news_article","url":"https://protos.com/fake-uniswap-phishing-ad-on-google-steals-traders-life-savings/"}]},{"content":"Uniswap Labs has published official guidance stating the protocol does not conduct unsolicited airdrops and that any unexpected airdropped token directing users to an external claim site should be ignored and not interacted with. Users who have signed an unknown approval are advised to immediately use tools such as Revoke.cash to audit and revoke token approvals across all EVM networks. Additional protective measures endorsed by SEAL, Uniswap Labs, and security researchers include: never clicking sponsored search results for crypto platforms; bookmarking app.uniswap.org directly; verifying the exact URL character-by-character before connecting a wallet; rejecting any transaction that requests 'approve,' 'setApprovalForAll,' or 'permit' from an unfamiliar or airdrop-related site; and using wallet security tools such as Pocket Universe or Fire that simulate transactions before signing. SEAL's real-time phishing blocklists are integrated with MetaMask, WalletConnect, Backpack, and Phantom to provide in-wallet warnings for known malicious domains.","heading":"Victim Protection and Defensive Guidance","severity":"low","sources":[{"credibility":1,"name":"Uniswap Labs: Airdropped NFT or Token Scams","type":"official","url":"https://support.uniswap.org/hc/en-us/articles/17523020772365-Airdropped-NFT-or-Token-scams"},{"credibility":1,"name":"Uniswap Blog: Secure Your Wallet and Avoid Crypto Scams","type":"official","url":"https://blog.uniswap.org/secure-your-wallet-and-avoid-crypto-scams"},{"credibility":2,"name":"Security Alliance: SEAL Launches Global Real-Time Phishing Defense Network","type":"official","url":"https://www.securityalliance.org/news/2025-10-phishing-defense-network"},{"credibility":2,"name":"CoinGabbar: Fake Uniswap Google Ads Steal $400K From Crypto Users","type":"news_article","url":"https://www.coingabbar.com/en/crypto-currency-news/fake-uniswap-google-ads-400k-stolen-phishing-2026"}]}],"sources_used":[{"credibility":2,"name":"Security Alliance: The State of Drainers Vol. 1 (October 2025)","type":"research","url":"https://radar.securityalliance.org/2025-10-drainers-vol-1/"},{"credibility":1,"name":"Uniswap Labs: Airdropped NFT or Token Scams","type":"official","url":"https://support.uniswap.org/hc/en-us/articles/17523020772365-Airdropped-NFT-or-Token-scams"},{"credibility":1,"name":"Uniswap Labs: Malicious NFT Contract Scams","type":"official","url":"https://support.uniswap.org/hc/en-us/articles/17523009693197-Malicious-NFT-contract-scams"},{"credibility":2,"name":"BleepingComputer: $8 million stolen in large-scale Uniswap airdrop phishing attack","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/8-million-stolen-in-large-scale-uniswap-airdrop-phishing-attack/"},{"credibility":2,"name":"Chainalysis: Targeted Approval Phishing Scams On the Rise","type":"research","url":"https://www.chainalysis.com/blog/approval-phishing-cryptocurrency-scams-2023/"},{"credibility":2,"name":"CryptoPotato: Chainalysis Reveals $1 Billion in Losses to Approval Phishing Since May 2021","type":"news_article","url":"https://cryptopotato.com/chainalysis-reveals-1-billion-in-losses-to-approval-phishing-since-may-2021-report/"},{"credibility":2,"name":"Protos: This Uniswap airdrop promised $2K — instead it stole $8M","type":"news_article","url":"https://protos.com/this-uniswap-airdrop-promised-2k-instead-it-stole-8m/"},{"credibility":2,"name":"Protos: Fake Uniswap phishing ad on Google steals trader's life savings","type":"news_article","url":"https://protos.com/fake-uniswap-phishing-ad-on-google-steals-traders-life-savings/"},{"credibility":2,"name":"Check Point Research: Inferno Drainer Reloaded","type":"research","url":"https://research.checkpoint.com/2025/inferno-drainer-reloaded-deep-dive-into-the-return-of-the-most-sophisticated-crypto-drainer/"},{"credibility":2,"name":"Infosecurity Magazine: Scammers Drain $500m from Crypto Wallets in a Year","type":"news_article","url":"https://www.infosecurity-magazine.com/news/scammers-drain-500m-crypto-wallets/"},{"credibility":2,"name":"SecurityWeek: Wallet Drainer Malware Used to Steal $500 Million in Cryptocurrency in 2024","type":"news_article","url":"https://www.securityweek.com/wallet-drainer-malware-used-to-steal-500-million-in-cryptocurrency-in-2024/"},{"credibility":2,"name":"Infosecurity Magazine: Inferno Drainer Spoofs Over 100 Crypto Brands to Steal $80m+","type":"news_article","url":"https://www.infosecurity-magazine.com/news/inferno-drainer-spoofs-100-crypto/"},{"credibility":2,"name":"CryptoSlate: Fake Uniswap $10 million airdrop reported as several prominent crypto media scammed","type":"news_article","url":"https://cryptoslate.com/fake-uniswap-10-million-airdrop-reported-as-several-prominent-crypto-media-scammed/"},{"credibility":2,"name":"CryptoTimes: Fake $10M Uniswap Airdrop Scam Targets Crypto Media","type":"news_article","url":"https://www.cryptotimes.io/2024/02/16/fake-10m-uniswap-airdrop-scam-tragets-crypto-media/"},{"credibility":2,"name":"CoinGabbar: Fake Uniswap Google Ads Steal $400K From Crypto Users","type":"news_article","url":"https://www.coingabbar.com/en/crypto-currency-news/fake-uniswap-google-ads-400k-stolen-phishing-2026"},{"credibility":2,"name":"BEInCrypto: Fake Uniswap Site Drains $400,000 From Multiple Wallets","type":"news_article","url":"https://beincrypto.com/fake-uniswap-drainer-400k-phishing/"},{"credibility":2,"name":"Cloud Security Alliance: 1Campaign Cloaking Platform","type":"research","url":"https://cloudsecurityalliance.org/blog/2026/03/23/1campaign-a-new-cloaking-platform-helping-attackers-abuse-google-ads"},{"credibility":1,"name":"FBI IC3 2025 Annual Report","type":"regulatory","url":"https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf"},{"credibility":1,"name":"The Block: FBI says crypto-related fraud losses hit record $11.4 billion in 2025","type":"news_article","url":"https://www.theblock.co/post/397134/fbi-says-crypto-related-fraud-losses-hit-record-11-4-billion-in-2025-with-seniors-bearing-the-brunt"},{"credibility":2,"name":"Security Alliance: SEAL Launches Global Real-Time Phishing Defense Network","type":"official","url":"https://www.securityalliance.org/news/2025-10-phishing-defense-network"},{"credibility":3,"name":"PCRisk: Uniswap (UNI) Airdrop Scam — Removal and Recovery Steps","type":"other","url":"https://www.pcrisk.com/removal-guides/31640-uniswap-uni-airdrop-scam"},{"credibility":2,"name":"GBHackers: Malicious Google Ads Hit Crypto Users With Wallet Drainers","type":"news_article","url":"https://gbhackers.com/google-ads-hit-crypto-users/"},{"credibility":1,"name":"Uniswap Blog: Secure Your Wallet and Avoid Crypto Scams","type":"official","url":"https://blog.uniswap.org/secure-your-wallet-and-avoid-crypto-scams"},{"credibility":2,"name":"CryptoNews: Crypto Media Houses Taken In By Fake $10M Uniswap Airdrop Scam","type":"news_article","url":"https://cryptonews.com/news/crypto-media-houses-taken-in-by-fake-10m-uniswap-airdrop-scam/"}],"summary":"A persistent, multi-actor phishing network that impersonates Uniswap — the most spoofed DeFi brand at 41% of all detected malicious DeFi sites per Security Alliance data — by promoting fraudulent V4 airdrop claims to lure victims into approving malicious smart contracts that drain ETH and ERC-20 tokens. The network spans fake Google Ads, compromised crypto media, Telegram channels, and social media, and employs industrial-scale drainer-as-a-service (DaaS) toolkits such as AngelFerno, Inferno Drainer, and Vanilla Drainer. Wallet drainer malware across all DeFi impersonation campaigns collectively stole approximately $494 million from over 332,000 addresses in 2024 alone, with the broader approval-phishing technique attributed to at least $2.7 billion in cumulative losses since 2021; the submitted $500M figure is consistent with the verified 2024 annual industry-wide total for wallet drainer malware but has not been independently attributed to this specific Uniswap V4 network by a Tier 1 source.","timeline":[{"date":"2022-07-11","event":"Attackers airdrop a fraudulent ERC-20 token to 73,399 Uniswap V3 LP holders, directing them to uniswaplp[.]com where a masked 'setApprovalForAll' call drains 7,574 ETH (~$8 million). Funds moved to Tornado Cash.","source":"BleepingComputer","source_url":"https://www.bleepingcomputer.com/news/security/8-million-stolen-in-large-scale-uniswap-airdrop-phishing-attack/"},{"date":"2023-11-01","event":"Inferno Drainer, a dominant DaaS platform used in Uniswap impersonation campaigns, announces shutdown after stealing over $80 million from more than 100 impersonated crypto brands. Subsequent research shows operations continued.","source":"Infosecurity Magazine","source_url":"https://www.infosecurity-magazine.com/news/inferno-drainer-spoofs-100-crypto/"},{"date":"2024-02-16","event":"A threat actor posing as a Uniswap Foundation representative tricks multiple crypto media outlets into publishing a fabricated $10 million UNI V4 launch airdrop announcement. Real Uniswap links are later swapped to redirect to a phishing site. No confirmed reader financial losses at time of reporting.","source":"CryptoSlate","source_url":"https://cryptoslate.com/fake-uniswap-10-million-airdrop-reported-as-several-prominent-crypto-media-scammed/"},{"date":"2024-01-01","event":"Wallet drainer malware collectively steals approximately $494 million from 332,000 addresses across all DeFi impersonation campaigns during 2024, a 67% year-over-year increase. Inferno Drainer holds 40-45% market share.","source":"SecurityWeek (citing Scam Sniffer)","source_url":"https://www.securityweek.com/wallet-drainer-malware-used-to-steal-500-million-in-cryptocurrency-in-2024/"},{"date":"2025-07-01","event":"A DeFi user loses approximately $1.2 million through a fraudulent Uniswap Google Ad in an incident described as nearly identical to the 2026 campaigns.","source":"Protos","source_url":"https://protos.com/fake-uniswap-phishing-ad-on-google-steals-traders-life-savings/"},{"date":"2025-10-01","event":"Security Alliance publishes State of Drainers Vol. 1, documenting that Uniswap accounts for 41% of all DeFi phishing sites and identifying Inferno, Rublevka, Eleven, and Vanilla Drainer as the primary DaaS families. SEAL simultaneously launches a global real-time phishing defense network with MetaMask, WalletConnect, Backpack, and Phantom.","source":"Security Alliance","source_url":"https://radar.securityalliance.org/2025-10-drainers-vol-1/"},{"date":"2026-02-20","event":"Polymarket trader @ika_xbt loses a mid-six-figure sum (described as their entire net worth) after clicking a fraudulent Google Ad for Uniswap. AngelFerno drainer toolkit attributed. Uniswap's founder publicly condemns the ad ecosystem.","source":"Protos","source_url":"https://protos.com/fake-uniswap-phishing-ad-on-google-steals-traders-life-savings/"},{"date":"2026-03-13","event":"SEAL begins tracking a wave of malicious Uniswap Google Ads; the campaign steals more than $1.27 million between March 13 and 30, 2026. SEAL blocks 356 or more malicious ad URLs.","source":"CoinGabbar","source_url":"https://www.coingabbar.com/en/crypto-currency-news/fake-uniswap-google-ads-400k-stolen-phishing-2026"},{"date":"2026-03-23","event":"Cloud Security Alliance publishes analysis of 1Campaign, a cloaking platform used to serve malicious crypto drainer pages through Google Ads while hiding content from reviewers. Platform operator identified by handle DuppyMeister; tool maintained for over three years.","source":"Cloud Security Alliance","source_url":"https://cloudsecurityalliance.org/blog/2026/03/23/1campaign-a-new-cloaking-platform-helping-attackers-abuse-google-ads"},{"date":"2026-05-25","event":"On-chain analyst b-block publicly warns that fake Uniswap Google Ads have stolen at least $400,000 from crypto users; two attacker wallet addresses hold 146 ETH (~$306,000) verified on Etherscan. ZachXBT and SEAL involved in response.","source":"CoinGabbar / BEInCrypto","source_url":"https://beincrypto.com/fake-uniswap-drainer-400k-phishing/"}]},"v":1}