A sophisticated phishing campaign leveraging paid search engine marketing has drained more than $400,000 from decentralized finance (DeFi) users by deploying counterfeit Google advertisements that impersonate the Uniswap protocol.
The operational architecture of the scam was first exposed by on-chain analyst b-block, who identified specific drainer addresses connected to the campaign. Blockchain data reveals that the primary exploiters currently hold a combined 146 ETH (valued at roughly $306,000) across two flagged core wallets, with the total financial damage across the wider network scaling past the $400,000 mark.
Stacy Muur, Founder of the Web3 marketing agency Green Dots, published definitive proof of the active exploit, calling out the search engine’s advertising infrastructure for long-standing consumer vulnerabilities: “It’s insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained.”
The incident adds to growing concerns in the crypto community over repeated phishing campaigns targeting users through search engine advertising.
Google Ads become a growing crypto threat
Blockchain security firm Scam Sniffer has previously stated that recent phishing attacks did not rely on stolen private keys but on malicious smart contract approvals. In these cases, victims unknowingly signed transactions that granted attackers full access to their wallets. Once approved, attackers were able to transfer NFTs and other digital assets directly from affected accounts.
In one, separate reported case, a user lost more than $1.23 million in Uniswap V3 NFTs after interacting with a phishing website promoted through Google Ads. Researchers also noted that attackers increasingly use Punycode-style web addresses that closely resemble legitimate crypto domains, making fake sites harder to detect during casual browsing.
Analytics platform DeFiLlama said fake Google advertisements continue to play a role in crypto-related phishing activity. It said, “Fake ads on Google are a common source of phishing attacks.” The platform also pointed users to tools designed to verify legitimate crypto domains and reduce exposure to fraudulent websites.
SEAL tracks sophisticated drainer campaigns
The Security Alliance (SEAL), a leading Web3 cybersecurity non-profit group, recently confirmed malicious Google advertising campaigns increased sharply in March 2026. The group reported blocking more than 356 fraudulent advertisement URLs in recent weeks. It also warned that attackers continue to adjust tactics to evade Google’s automated detection systems.
SEAL said threat actors often use compromised advertiser accounts and cloaking methods to push fake crypto links. Researchers also found that some campaigns embed malicious code inside hidden iframes, which makes detection harder for automated tools. The group linked parts of the activity to services known as Inferno Drainer and Vanilla Drainer, which are widely used in phishing operations.
As phishing groups claim retail wallets via social engineering, DeFi protocol codebases face simultaneous infrastructure threats. In a distinct smart contract exploit on Monday, attackers exploited a vulnerability in WUSD.fi reward functions and drained about $200,000 from GLOVE liquidity pools on Ethereum.
Also Read: Australia’s ASIC Exposes Crypto Scams Flooding Social Media Feeds