DEV Community

qanzhi111
qanzhi111

Posted on

Fake Uniswap Google Ads Phishing - $400K+ Stolen

#web3 #security #phishing

Fake Uniswap Google Ads Phishing Scam Investigation Report

Investigation Date: May 26, 2026

Incident Type: Google Ads Phishing Scam

Loss Amount: $400,000+

Attacker Wallets:

  • 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb
  • 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2

πŸ“‹ Executive Summary

On May 25, 2026, on-chain analyst b_block discovered that attackers were purchasing Google sponsored advertisements to impersonate the official Uniswap website, luring users to connect their wallets and sign malicious transactions, thereby stealing user assets.

As of this report, the two attacker wallets collectively hold approximately 146 ETH (valued at approximately $306,000 at the time), with total losses exceeding $400,000.

πŸ” Attack Vector Analysis

Attack Flow

  1. Ad Placement: Attackers purchased sponsored ads for "Uniswap" keyword on Google Search platform
  2. Phishing Website: Users clicking the ad are directed to a meticulously crafted phishing website with an interface nearly identical to the official site
  3. Malicious Authorization: When users connect their wallet and sign transactions, they are actually granting access permissions to a malicious contract
  4. Fund Transfer: The drainer contract automatically transfers user assets to wallets controlled by the attacker

Attack Tools

Security researchers identified that the phishing website utilized the AngelFerno drainer tool, a Phishing-as-a-Service (PhaaS) malware.

Attackers also employed the following techniques to evade detection:

  • Punycode URL: Utilizing Cyrillic characters to make phishing domains visually indistinguishable from legitimate domains
  • Hidden iframe: Loading malicious code while remaining invisible to Google's automated review systems
  • Traffic Redirection: Secretly routing all user network traffic to attacker-controlled servers

Attacker Infrastructure

  • Phishing websites utilized Google trusted services (sites.google.com, docs.google.com) to bypass detection
  • Advanced infrastructure including Cloudflare Workers, Arweave hosting for payloads, and proxy layers
  • Capable of intercepting Ethereum RPC requests and monitoring user activity in real-time

πŸ“Š Fund Flow Analysis

Wallet Address Held Assets Estimated Value
0x37925684...A49Bb ~73 ETH + tokens ~$153,000
0x2fC25F46c...c5E2 ~73 ETH + tokens ~$153,000
Total ~146 ETH ~$306,000

⚠️ Systemic Risk Analysis

Google Ads Platform Responsibility

According to Security Alliance (SEAL) reports:

  • During March 2026, Google Ads phishing attacks stole approximately $1.27 million
  • SEAL blocks over 356 malicious Google ad links weekly
  • This attack pattern has persisted for over one year with no signs of slowing

Notable Victims

Uniswap founder Hayden Adams has publicly criticized Google's failure to effectively combat counterfeit advertisements:

"These scams are absolutely terrible, and we have been fighting them for years. Counterfeit scam apps impersonating our Uniswap keep appearing, despite our continuous applications to the Apple App Store, which took months to get approved."

FBI Data

According to FBI's "2025 Internet Crime Report":

  • Cryptocurrency-related complaints: 181,565
  • Total losses: $11.36 billion (22% year-over-year increase)
  • Average loss per victim: $62,604

πŸ›‘οΈ Community Protection Recommendations

  1. Bookmark Verification: Manually bookmark DeFi platform URLs rather than relying on search
  2. Manual URL Entry: Directly type official domain names into the browser
  3. Verify Channels: Use trusted aggregators like DeFiLlama to verify protocol information
  4. Regular Revocation: Use revoke.cash to regularly clean up unnecessary token approvals
  5. Hardware Wallet: Use hardware wallets and carefully review each transaction
  6. Ad Blocking: Consider using ad-blocking plugins and anti-phishing browser extensions

πŸ“ Unique Analytical Perspective

This case reveals the contradiction between centralized platforms and decentralized finance:

  • DeFi protocols themselves are secure: Uniswap smart contracts have never been compromised
  • The problem lies at the entry point: Google search results have become accomplices for attackers
  • Irreversibility: Blockchain transactions cannot be reversed; once malicious transactions are signed, funds cannot be recovered

This differs fundamentally from traditional cybersecurityβ€”users cannot "call customer service" or "request a refund," relying only on prevention rather than remediation.

πŸ“š Data Sources

Investigator: Onchain Shadow

OPSEC Statement: This report is based on publicly available on-chain data and media reports, all information sourced from publicly available sources.

Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.

πŸ”’ Protect Your Crypto with ChainSentinel

ChainSentinel β€” AI-powered on-chain risk intelligence platform:

  • Real-time Risk Scanning β€” Check any address for rug pulls, phishing, and exploit risks
  • Multi-Chain Monitoring β€” Ethereum, BSC, and more
  • AI-Powered Analysis β€” Gemini-driven risk engine

πŸ‘‰ Try ChainSentinel Free | Pro Plan - $29/month

Stay safe on-chain. Get alerts before the next exploit.

Top comments (0)