Cybercriminals have exploited Google’s advertising platform once again, stealing more than $400,000 from crypto users through sophisticated phishing advertisements impersonating the popular decentralized exchange Uniswap.The campaign came to light on May 25, 2026, when on-chain investigator b_block_oficial identified attacker-controlled wallets receiving funds from drained victim wallets. Blockchain data revealed that two primary attacker wallets linked to the scam held approximately 146 ETH (worth around $306,000 at the time), along with additional tokens.
Two scammers have already stolen ~$400,000 from users through a phishing @Uniswap ad on Google.
It’s insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained.
This is the first result that popped out… https://t.co/Ov488s9DIl pic.twitter.com/qStRGq8qTE
— Stacy Muur (@stacy_muur) May 25, 2026
The two identified attacker wallets are:
- 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb
- 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2
Web3 researcher and GREEND0TS founder Stacy Muur amplified the warning by sharing screenshots of the malicious advertisement appearing as the top sponsored result for “Uniswap” searches on Google. She noted that the fraudulent site closely replicated the official Uniswap interface.
Similar security concerns have also surfaced recently within the Uniswap ecosystem itself, after attackers reportedly exploited the Uniswap v4 Router04 contract in an on-chain attack that drained nearly $42,100 from affected users, further highlighting the growing risks surrounding DeFi platforms and wallet interactions.
How the Attack Worked
The scam followed a simple yet effective method:
- Users searching for “Uniswap” on Google saw a sponsored advertisement at the very top.
- Clicking the ad directed them to a professionally designed phishing website that mimicked the real Uniswap app.
- Once users connected their wallets and approved transactions, they unknowingly granted permission to malicious smart contracts.
- These drainer contracts quickly transferred cryptocurrencies and tokens from the victims’ wallets to the attackers’ addresses mentioned above.
Attackers reportedly used lookalike domains, hidden iframes, and other techniques to bypass Google’s automated ad reviews.
Part of a Larger, Ongoing Problem
This incident is not isolated. Fake Google Ads have become a persistent attack vector in the crypto space. Security Alliance (SEAL) reported a significant increase in such phishing campaigns in March 2026, during which attackers stole approximately $1.27 million in just a few weeks. The group has blocked over 356 malicious crypto-related Google Ads in recent months.Prominent voices in the crypto community, including Uniswap founder Hayden Adams, have previously criticized Google for its slow response in removing impersonating advertisements despite repeated reports.
Security Recommendations for Users
To protect themselves, crypto users should follow these precautions:
- Never click on sponsored Google Ads when searching for crypto platforms.
- Always access Uniswap and other DeFi sites by manually typing the official URL (app.uniswap.org) or using bookmarks.
- Verify links through official project channels or trusted aggregators like DeFiLlama.
- Use wallet simulators and carefully review transaction details before signing.
- Regularly revoke token approvals using tools like revoke.cash.
- Consider using ad blockers and phishing-protection browser extensions.
This latest scam serves as a reminder that while blockchain technology itself is secure, the biggest risks often come from centralized platforms like search engines and human error. Users must remain extremely vigilant when interacting with crypto applications.
