Fake Uniswap ads on Google cause 400,000 USD damage to users

Fraudulent ads on Google impersonating Uniswap have taken at least four hundred thousand dollars from cryptocurrency users in recent weeks, as hackers take advantage of search engine ads.

5/27/20264 min read

The mechanism of withdrawing money from wallet through advertising

The attack method exploits the fundamental asymmetry in the way users interact with search engines, where sponsored ads appear above organic search results and receive the majority of clicks from users seeking access to legitimate decentralized exchanges. Victims searching for "Uniswap" will encounter fake paid ads placed in front of the official Uniswap website, with scammers buying Google ads through compromised advertiser accounts or verified accounts obtained from third parties specialized in deploying scam campaigns. Ads direct users to professionally copied websites, imitating Uniswap's interface with pixel-by-pixel accuracy, creating visual authenticity that deceives the usual checks of users, who expect search engines to filter malicious content.

After users access the fake website and connect a cryptocurrency wallet through MetaMask, WalletConnect or a similar browser extension, the interface will ask for approval of a token swap that seems to be standard.

Behind the fraudulently familiar user experience is a malicious smart contract created by wallet withdrawal service providers (Drainer-as-a-Service) including the Inferno and Vanilla families, creating transaction signatures granting unlimited spending rights on all tokens that the victim is holding, instead of only approving a limit for a specific number of swaps. The approval seems valid in the wallet confirmation dialog because the malicious contract mimics the interaction models of the mainstream decentralized exchange, with most users clicking "approve" without carefully reviewing the technical details of the authority they are granting.

Automatic withdrawal service (Drainer-as-a-Service)

Inferno Drainer and Vanilla Drainer represent an industrialized online fraud infrastructure, operating under the automatic withdrawal service model, democratizing the ability to steal sophisticated e-wallets for non-technical offenders. These platforms provide the ability to create a package of malicious smart contracts, automatic deployment infrastructure, create transaction signatures that pass common security checks, and integrated encryption to protect the identity of the operator while ensuring reliable collection. Partners who purchase automatic withdrawal services receive a comprehensive set of tools that allow them to launch scam campaigns without understanding the blockchain mechanism or developing smart contracts, paying 20% commission on the amount successfully withdrawn in exchange for technical infrastructure and continuous operation support.

This business model proves to be significantly profitable despite pressure from law enforcement and periodic platform closures, with a Security Alliance report showing that automated withdrawal scams peak in 2024 when victims lose nearly $500 million to top services including Angel, Inferno and Pink according to Sniffer's tracking data.

Although total withdrawal volume decreased after the implementation of improved wallet security features and advanced blockchain analytics capabilities, criminal organizations have adapted by developing more sophisticated evasion techniques and targeting higher-value victims rather than pursuing volume-based methods. Blockchain investigator Darkbit noted that Vanilla Drainer has gained market lead from Inferno's customers, with most of the large six- and seven-digit drawbacks in recent months due to Vanilla's ability to be upgraded.

Google's Discovery Failures and Platform Narrowing

The fact that fraudulent cryptocurrency ads still exist despite many years of reporting and many famous thefts raises basic questions about Google's ad review process and whether the platform has enough motivation to invest in effective screening mechanisms. Attackers exploit specific technical vulnerabilities in Google's automated ad approval system, deploying hidden scenarios to detect when Google's crawler is checking the ad page versus when users actually access, showing legitimate content to automated reviewers while providing a malicious phishing interface for real visitors.

The fingerprint recognition and concealment infrastructure operates through malicious JavaScript hidden iframes that load extra loads that Google's detection algorithm cannot recognize, with the separation between the advertised landing page and the phishing interface actually creating a technical barrier that automated systems are difficult to overcome.

The March 2026 report of Security Alliance recorded a sharp increase in malicious advertising activity on Google targeting decentralized financial applications, e-wallets and cryptocurrency services, with analysts blocking 356 malicious advertising URLs over a three-week period, showing a stable weekly volume maintained throughout the previous year.

The scale of the report shows that this is a form of systematic exploitation rather than individual incidents, with threat agents operating coordinated campaigns on multiple advertisers' accounts being compromised or fraudulently appropriated to ensure a continuous presence even when individual ads are removed. SEAL noted that Google suspended all advertiser accounts identified in their report, but the reactive enforcement approach allowed new fraudulent accounts to immediately replace suspended accounts without causing any significant disruption to the operation of the overall phishing campaign.

decentralized financial security

The four-hundred-thousand-dollar Uniswap scam campaign shows that the technical decentralization of blockchain protocols only provides limited protection when user interaction depends on centralized infrastructure, including search engines, advertising platforms and domain name systems that criminals systematically exploit to place malicious interfaces between users and legitimate decentralized applications. This vulnerability reflects the fundamental tension in Web3 architecture between trustless on-chain execution and trusted off-chain access layers that users navigate to access decentralized protocols, with the latter layer creating persistent attack surfaces that sophisticated phishing campaigns exploit regardless of basic blockchain security guarantees.

For cryptocurrency users, this incident reinforces the importance of never trusting search results when accessing decentralized financial protocols, instead mark verified URLs, use hardware wallet transaction confirmation that provides an additional layer of confirmation before signing, and maintain a healthy skepticism for any interface that requires a wallet connection or transaction approval. Defense thinking requires considering all interactions as potentially malicious until proven to be reversed through multiple verification mechanisms, reversing the conventional browsing assumption that large platforms filter dangerous content before showing the results to users.

Disclaimer: The information presented in this article is the author's personal opinion in the field of cryptocurrencies. This is not financial or investment advice at all. Every investment decision should be based on careful consideration of your personal portfolio and risk tolerance. The opinion in the article does not represent the official position of the platform. We recommend that readers do their own research and consult experts before making any investment decisions.

Synthesized and analyzed by HCCVenture

Follow HCCVenture organization here: https://link3.to/holdcoincventure

Explore HCCVenture group

Connect with us

Disclaimer: The information on this website is for informational purposes only and should not be considered investment advice. We are not responsible for any risks or losses arising from investment decisions based on the content here.

TERMS AND CONDITIONS • CUSTOMER PROTECTION POLICY

ANALYTICAL AND NEWS CONTENT IS COMPILED AND PROVIDED BY EXPERTS IN THE FIELD OF DIGITAL FINANCE AND BLOCKCHAIN BELONGING TO HCCVENTURE ORGANIZATION, INCLUDING OWNERSHIP OF THE CONTENT.

RESPONSIBLE FOR MANAGING ALL CONTENT AND ANALYSIS: HCCVENTURE FOUNDER - TRUONG MINH HUY

Read warnings about scams and phishing emails — REPORT A PROBLEM WITH OUR SITE.