Summary:

Blockchain analysts have flagged a phishing campaign impersonating Uniswap through Google Search ads.
Attackers have reportedly stolen at least $400,000 from crypto users so far.
The scam works by placing malicious sponsored links above legitimate search results.
Security researchers say this tactic has remained active for more than a year, with hundreds of fake ad links detected.
Analysts are urging crypto users to avoid clicking sponsored links and to verify website domains manually before connecting wallets.
The incident adds to growing criticism of Google's failure to stop recurring crypto phishing campaigns.

https://x.com/i/status/2059003963446345776

https://radar.securityalliance.org/malicious-google-ads-targeting-crypto/

Crypto phishing scams are nothing new. But what makes this latest case troubling is how familiar the attack path looks. Users were not tricked through suspicious direct messages or obscure scam websites buried deep in forums. They were simply searching for Uniswap on Google, clicking what looked like the top result, and unknowingly handing over access to their wallets. According to blockchain analyst b-block, attackers are currently operating a phishing website impersonating Uniswap that has already drained funds from multiple victims. He wrote:

"A website impersonating Uniswap is draining funds from multiple wallets. The scammers are currently holding at least ~$400,000." Source

That estimate appears to be supported by on-chain wallet activity. Two flagged addresses linked to the operation were collectively holding 146 ETH, worth roughly $306,000 at the time of reporting, according to blockchain tracking data on Etherscan. Analysts believe additional stolen funds may already have been moved or swapped through other addresses. The mechanics of the scam are simple, which is exactly why it works. Attackers create websites that closely mirror Uniswap's official interface. They then purchase Google ads or compromise legitimate advertiser accounts to push those fake links into premium "Sponsored" positions at the top of search results. For many users, especially newer crypto participants, those sponsored placements appear trustworthy. Once a wallet is connected and permissions are approved, the drain begins. That combination of polished presentation and technical simplicity has made phishing ads one of the most effective scams in crypto. And according to researchers tracking these campaigns, they are not slowing down.

According to security researchers, Google has ignored the problem for years. The latest warnings gained wider attention after Stacy Muur, founder of Web3 marketing agency Green Dots, publicly criticized Google for allowing fake crypto ads to repeatedly outrank legitimate protocol websites. She shared a screenshot showing a sponsored phishing result appearing directly above the real Uniswap link in Google Search. She wrote on X,

"Two scammers have already stolen ~$400,000 from users through a phishing @Uniswap ad on Google. It's insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained. This is the first result that popped out to me today." Source

That frustration is shared by many across crypto security circles. The issue has been repeating for years across major crypto protocols including wallet providers, decentralized exchanges, bridge services, and NFT marketplaces. The nonprofit security group Security Alliance (SEAL) documented a sharp rise in these attacks earlier this year. In an April report, SEAL said it observed a "significant uptick" in phishing activity across Google Search during March. Researchers explained that attackers either directly purchase ads through Google's systems or compromise verified advertiser accounts to bypass stricter scrutiny. Because these malicious advertisers often aggressively outbid legitimate crypto projects, their links frequently appear first.

That placement matters because search behavior is predictable. Many users instinctively click the first visible result, especially when it appears sponsored by a trusted platform. SEAL reported blocking more than 356 malicious ad links, calling that number representative of a steady weekly flow of crypto phishing campaigns that has persisted for over a year. The organization added:

"The campaign is not slowing down, and we are receiving more reports from affected users."

The phishing infrastructure itself keeps evolving faster than platform moderation systems can react. Fake domains rotate quickly. Ad copy changes slightly to avoid detection. Compromised accounts create layers of legitimacy that make automated enforcement difficult.

Why Crypto Users Are Still Easy Targets

The technical side of these scams often sounds sophisticated, but the human side is surprisingly ordinary. Crypto users / human behaviour are frequently in a hurry. They search quickly, click quickly, and approve wallet requests quickly. Security researchers say one of the simplest protections remains one of the least followed: never trust search results for wallet connections. Instead, manually type official URLs or use trusted bookmarks. This is precisely the gap products like LlamaSearch aim to address. DeFiLlama recently highlighted its own search solution as a response to the ongoing ad phishing problem. The team said:

"Fake ads on Google are a common source of phishing attacks. We built LlamaSearch to solve exactly this. It has thousands of vetted crypto domains." Source

More projects are recognizing that user education alone is not enough. The interfaces people rely on to discover crypto products must also become safer by design. That means stronger browser protections, better ad verification systems, clearer wallet warnings, and faster takedown responses from major search engines. Until that happens, phishing campaigns like this will remain profitable and in crypto, one careless click can still cost everything.