Skip to main content

Scammers use Google Ads to siphon off hundreds of thousands of dollars from fake crypto wallets

Scammers use Google Ads to siphon off hundreds of thousands of dollars from fake crypto wallets

/

Phishing scams in my Google results? It’s more likely thank you think

Share this story

An illustrated Dogecoin surrounded by warning signs.
Illustration by Maria Chimishkyan

The crypto world is full of dangers, with scammers lying in wait for newbies and novices. A recent report from security outfit Check Point Research highlights a potent form of attack: using Google Ads to direct users to fake crypto wallets. In its report, CPR said it has seen roughly half a million dollars siphoned off through these methods in just the last few days.

Here’s how the scam works. Attacker buys Google Ads in response to searches for popular crypto wallets (that’s the software used to store cryptocurrency, NFTs, and the like). CPR says it’s noticed scams targeting Phantom and MetaMask wallets, which are the most popular wallets for the Solana and Ethereum ecosystems.

The scam is a fairly typical phishing attack

When an unsuspecting user Googles “phantom,” the Google Ad result (which appears above actual search results) directs them to a phishing website that looks like the real thing. Then, one of two things happens: either the user enters their credentials which the attacker keeps. Or, much weirder, if they try to create a new wallet they’re told to use a recovery password which actually logs them into a wallet controlled by the attacker, not their own. “This means if they transfer any funds, the attacker will get that immediately,” says CPR.

The attackers use fake URLs to trick users into thinking they’re logging into their crypto wallets.
The attackers use fake URLs to trick users into thinking they’re logging into their crypto wallets.
Image: CPR
As with other phishing scams, the fake sites are designed to look as similar as possible to the real ones.
As with other phishing scams, the fake sites are designed to look as similar as possible to the real ones.
Image: CPR

As with phishing scams more generally, the attackers rely on making their fake log-in pages look as much as possible like the real thing. CPR notes that they’ve seen attackers use fake URLs to trick users, directing them to phanton.app or phantonn.app, for example, instead of the correct phantom.app. The group has also seen similar phishing scams used to direct users to fake crypto currency exchanges masquerading as legitimate outfits like PancakeSwap and UniSwap.

CPR’s researchers say they started noticing these scams after seeing crypto users complain about their losses on Reddit and other forums. They estimate that “at least half a million dollars” have been stolen over the past few days.

“I believe we’re at the advent of a new cyber crime trend, where scammers will use Google Search as a primary attack vector to reach crypto wallets, instead of traditionally phishing through email,” said CPR’s Oded Vanunu in a press statement. “The phishing websites where victims were directed to reflected meticulous copying and imitation of wallet brand messaging. And what’s most alarming is that multiple scammer groups are bidding for keywords on Google Ads, which is likely a signal of the success of these new phishing campaigns that are geared to heist crypto wallets.”

When asked for comment on these reports, a spokesperson for Google said: “This behavior directly violates our policies and we immediately suspended these accounts and removed the ads. This appears to be a malicious actor looking for ways to evade our detection. We are always adjusting our enforcement mechanisms to prevent these abuses.”

CPR offers a few words of wisdom for users hoping to avoid these pitfalls, including never clicking on Google Ads results but instead looking at search results, and always checking the URL of the site you’re visiting.

Update, November 5th, 11:03AM ET: Updated with comment from Google.