Cybercriminals have started exploiting Google’s advertising platform to deceive cryptocurrency holders, with the aim of stealing their assets. These attackers create misleading advertisements that mimic legitimate crypto application links. When users click on these ads, they are redirected to malicious sites designed to either drain their wallets or trick them into revealing their recovery phrases.
Rise in Malicious Ad Campaigns
The strategy of using fake ads is not novel, but it has significantly escalated in 2026. March saw a peak in such activities, with threat actors consistently deploying fraudulent ads weekly for over a year. These campaigns have specifically targeted popular platforms like Uniswap, PancakeSwap, Morpho Finance, Hyperliquid, CoW Swap, and the hardware wallet brand Ledger.
The scale and persistence of these operations suggest a highly organized group behind them, showing no signs of abating. Analysts at SecurityAlliance (SEAL) have been tracking multiple threat actors associated with these campaigns.
Methods of Attack
Researchers have identified three primary types of malicious payloads used by attackers: wallet drainers, seed phrase stealers, and fake browser extensions. Wallet drainers utilize in-browser JavaScript to get victims to authorize harmful transactions, while seed phrase stealers present a counterfeit website prompting users to input their recovery phrases. Additionally, fake browser extensions are distributed via links from the Chrome Web Store.
Within weeks, SEAL managed to block over 356 malicious advertisement URLs, although this figure likely represents just a fraction of the total. The financial impact is substantial, with at least $1,274,259 stolen between March 13 and March 30, 2026, and $810,929 directly attributable to known attacks. A single incident in early March accounted for $385,000 in losses.
Brand Impersonation and Defense Strategies
Uniswap was the most impersonated brand, accounting for 41% of detected malicious sites, followed by Morpho Finance at 31%. The attack’s infrastructure involves a complex delivery mechanism that obscures the threat from Google’s detection systems. Ads initially link to seemingly safe Google-owned domains, allowing them to pass initial reviews.
Malicious content is loaded separately via hidden iframes, using fingerprinting and cloaking scripts to differentiate between researchers and real users. Non-targeted visitors are redirected to benign pages, while real users encounter cloned application interfaces. A man-in-the-middle proxy layer intercepts and reroutes network traffic, giving attackers access to wallet balances and transaction activities.
SEAL advises cryptocurrency users to avoid using Google Search for accessing crypto applications. Instead, users should bookmark trusted URLs and use them directly. Cryptocurrency-specific indexing tools like search.defillama.com can verify the authenticity of sites before connecting a wallet. Organizations should enforce strict policies on direct URL access and remain wary of search results, including sponsored links.
Google has suspended all advertiser accounts implicated in this report, but perpetrators continue to create new accounts rapidly. Users are urged to stay vigilant and rely solely on bookmarked links for the best protection.
