Headline: Fake Google Ads Funnel Crypto Users to Phishing Uniswap Clones — Attackers Have Pulled in at Least $400K Summary Security researchers say an ongoing phishing campaign has been weaponizing Google’s ad platform for more than a year to steer unsuspecting crypto users to counterfeit Uniswap sites that drain wallets. The campaign has accelerated at times — SEAL reports a spike in March — and researchers traced at least ~$400,000 to attacker-controlled wallets in the latest round of thefts. What happened - Attackers buy or hijack Google Ads accounts and place sponsored links that appear above the legitimate Uniswap result in Google search ads. They often outbid the real protocol to secure top placement. - The malicious ads use URLs that look legitimate, while a hidden secondary element loads the real payload. That stealthy delivery appears to evade Google’s automated ad review systems. - Users who click the ad are taken to convincing replicas of the Uniswap interface. Behind the scenes, network activity is routed through attacker-controlled servers so the victim’s wallet approvals and transactions can be intercepted and drained. On-chain evidence and scale - On-chain analyst “b-block” raised the alarm on May 25, 2026 after tracing thefts to attacker wallets. At the time of reporting two flagged addresses held a combined 146 ETH (~$306,000): 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2 The total haul tied to the campaign is estimated at a minimum of ~$400,000. - Nonprofit Security Alliance (SEAL) has been tracking this pattern for over a year. SEAL observed a sharp surge in activity in mid-March, reporting $1.27 million stolen between March 13–30. The group says it blocks hundreds of malicious ad links regularly — more than 356 in a week — and that the volume of attacks has been sustained. Community reaction - Web3 marketer Stacy Muur shared screenshots of fake sponsored results and criticized Google for allowing the ads to run above authentic links for years, while users continue to lose funds. - DeFiLlama and other crypto platforms have also called out Google Ads as a recurring source of phishing in the ecosystem. Wider context - This Uniswap-targeted campaign is part of a broader trend of threat actors abusing ad platforms and even shared AI chat links to distribute malware and phishing lures. In early May, similar abuse of Google Ads and AI tools was used to push Mac-targeting malware, and Facebook has seen fake paid ads impersonating Microsoft that redirect users to credential-stealing fake Windows downloads. Takeaways and safety tips for users - Don’t rely on sponsored search results as the authoritative source for DEX or contract pages. Always: - Bookmark official DEX pages and access them from your bookmarks. - Verify domain names carefully (look for subtle typos or extra characters). - Use trusted links from project websites, verified social channels, or ENS records where applicable. - Never paste your seed phrase/private key into a website; legitimate dApps never ask for this. - Use hardware wallets for large transactions and review transaction permission scopes before approving. - Revoke suspicious approvals (via Etherscan, Revoke.cash or similar) if you believe you interacted with a fake site. What’s next SEAL says reports from victims continue to come in and the campaign shows no sign of slowing. The incident is another reminder that attackers will misuse mainstream ad systems to bypass casual vetting and reach crypto users — vigilance and habit changes (bookmarks, hardware wallets, careful URL checks) remain the best immediate defenses. Read more AI-generated news on: undefined/news