Key Takeaways

• Fake Google Ads impersonating Uniswap have stolen over $400K in crypto through phishing links placed above real search results. 

• Attackers buy sponsored ads targeting Uniswap searches, pushing fake websites above official links to trick users into clicking. 

• Victims are sent to cloned Uniswap interfaces that drain wallets once users connect and approve malicious transactions.

Crypto thieves have found a surprisingly simple way to steal from Uniswap users. Buy a Google ad. A coordinated phishing campaign is running fake sponsored search results that look identical to Uniswap’s legitimate listings. 

Users who click through land on convincing counterfeit trading interfaces that drain their wallets the moment they connect. No elaborate hacks, no exploited code. Just a polished fake and a paid placement at the top of a Google search.

On-chain analyst b-block and multiple blockchain security firms have been tracking the campaign. So far, at least $400,000 in crypto has been stolen, and the ads are still running.

How the Scam Operates

The mechanics are deceptively simple. Attackers purchase sponsored placements through Google’s advertising system, bidding on search terms tied to Uniswap so their fake listings appear above the real ones. To a casual user, the result looks identical to a legitimate link.

Clicking through lands users on a cloned trading interface built to mirror Uniswap’s design almost perfectly. From there, the site walks victims through what appears to be a standard wallet connection flow:

• Connect your wallet — lets the site see your assets.
• Approve a transaction — looks like a standard step.
• Sign the permissions — gives attackers full access.

That final signature hands attackers full control over the victim’s assets without ever needing their private keys. Once granted, the permissions can be used to drain a wallet silently and immediately.

Staying hidden is just as deliberate as the theft itself. Security researchers found that many of these sites use cloaking techniques specifically to fool Google’s automated ad review systems:

• Hidden scripts that conceal malicious behavior during automated scans.
• Iframe-based payload delivery that only activates once a real user lands on the page.

Stacy Muur, founder of Web3 marketing agency Green Dots, was among the first to surface the campaign publicly, sharing a screenshot of one of the fraudulent sponsored results appearing live on Google Search alongside a warning about the ongoing thefts. The result is a scam that looks clean to Google’s reviewers and devastating to everyone else.

What On-chain Analysis Revealed

The money trail tells a clear story. On-chain analyst b-block traced the campaign to multiple wallet addresses linked to the operation, which collectively held at least 146 ETH, roughly $306,000 at the time of tracking. Total confirmed losses across victims have crossed $400,000.

Every case followed the same pattern: users interacted with a fake Uniswap interface promoted through a sponsored Google ad, signed the malicious permissions, and lost their funds shortly after.

Google Search Ads As the Attack Surface

The campaign does not rely on breaking into Uniswap’s systems. It exploits something far more accessible: Google’s own ad auction.

Attackers secure top placement in search results through a combination of tactics:

• Purchasing sponsored slots directly — bidding on Uniswap-related search terms to push fake listings to the top.
• Outbidding legitimate platforms — pricing out real crypto projects from their own branded search results.
• Hijacking existing advertiser accounts — using compromised accounts to run malicious listings with established ad history.

The end result is the same: a phishing link sitting above the real Uniswap page, indistinguishable to most users at a glance.

That position matters because users searching for a trading platform are ready to act. The attackers are not just mimicking Uniswap; they are intercepting users at the exact moment of intent. DeFi security groups warn this is part of a broader malvertising trend, with attackers rotating targets across multiple crypto protocols faster than ad review systems can respond.

Surge in Phishing Activity Since March

The Uniswap campaign is part of a much larger wave. According to the Security Alliance (SEAL), phishing attacks tied to Google Search ads have escalated sharply since March 2026, with the group identifying over 356 malicious ad links in a short period and combined losses from related campaigns reaching $1.27 million.

Keeping up with takedowns has proven difficult. Attackers continuously rotate domains the moment existing ones are flagged, making persistent removal nearly impossible through conventional review processes.

The deception methods have also grown more sophisticated:

• Punycode-style domains that visually mimic legitimate URLs at a glance.
• Hidden scripts that stay dormant during automated scans and only activate once a real user lands on the page.
• Cloned interfaces built to be indistinguishable from real DeFi platforms.

Taken together, the picture is of an operation that is actively adapting, exploiting gaps in ad review systems while the tools used to catch them struggle to keep pace.

Why Crypto Users Are Being Targeted

Crypto users are not being targeted by accident. Decentralized finance platforms carry a specific set of characteristics that make their users unusually vulnerable to this kind of attack.

• Transactions are irreversible – once a user signs and funds leave, there is no recourse, no chargeback, and no authority to appeal to.
• Wallet approvals grant broad access – a single signed permission can expose an entire wallet, not just the assets involved in one transaction.
• Users move fast – DeFi interactions often happen under self-imposed time pressure, with less scrutiny on each step.
• Google is the front door – for many users, a search engine is how they navigate to platforms every single time, making a convincing fake ad an effective ambush.

Each of these factors would be manageable on its own. Together, they create conditions that phishing operators are clearly aware of and deliberately exploit.

Final Thoughts

The most dangerous moment in crypto is often the most ordinary one. A quick Google search, a familiar-looking page, a routine permission request, and the funds are gone. Until Google meaningfully tightens how crypto ads are reviewed, users are the last line of defense. Bookmark platforms directly, always verify the URL before connecting a wallet, and never approve permissions without knowing exactly what you are signing.

Frequently Asked Questions

What is the Uniswap Google Ads phishing scam?

The Uniswap Google Ads phishing scam is a cyberattack where scammers buy sponsored Google search ads that impersonate Uniswap, leading users to fake websites designed to steal crypto funds.

How do fake Uniswap ads steal cryptocurrency?

Victims click on sponsored ads that lead to cloned Uniswap sites. When they connect their wallet and approve transactions, attackers gain permission to drain their assets instantly.

How much money has been stolen from this Google Ads crypto scam?

Reports from on-chain analysts indicate that over $400,000 in cryptocurrency has already been stolen through fake Uniswap Google Ads phishing campaigns.

Why are fake Uniswap ads appearing above real results?

Scammers use Google’s advertising system to purchase sponsored placements, allowing malicious links to rank above legitimate Uniswap pages in search results.

Can stolen crypto from these scams be recovered?

In most cases, no. Blockchain transactions are irreversible, meaning once funds are transferred, they cannot be reversed or recovered through normal channels.

You Might Also Like:

• How To Safeguard Your Crypto Assets From Cyber Threats
• What is a Seed Phrase and Why it Matters for Crypto Wallet Security
• 9 Things You Should Never Share About Your Crypto Wallet