Crypto users searching for Uniswap on Google are falling victim to a sophisticated phishing campaign that has drained at least 400,000 USD from wallets in recent days, according to on-chain analysts. The attack exploits Google’s advertising infrastructure to place malicious links above legitimate search results, turning a routine web search into a catastrophic financial loss.
By Elena Kowalski | May 29, 2026
The Exploit Mechanics
On May 25, 2026, on-chain analyst b-block posted a warning on X confirming that fake Uniswap Google advertisements had stolen at least 400,000 USD from cryptocurrency users. Two attacker wallet addresses were publicly identified and verified on Etherscan, together holding approximately 146 ETH — worth roughly 306,000 USD at the time of reporting.
The attack vector is deceptively simple. Attackers purchase sponsored Google search advertisements that appear above the genuine Uniswap link. Victims click the ad, land on a convincing clone of the Uniswap interface, connect their wallet, and sign what appears to be a routine transaction. That single signature grants attackers permission to drain assets or execute trades directly from the victim’s wallet.
The wallet drainer tool identified in this campaign is called AngelFerno — a scam-as-a-service script specifically targeting DeFi users. According to security researchers, AngelFerno operates across multiple domains tracked on GitHub phishing blocklists. The attackers employ Punycode URLs, which use Cyrillic characters to make fraudulent domain names visually indistinguishable from legitimate ones to the naked eye.
Stacy Muur, founder of Web3 marketing agency Green Dots, published definitive proof of the active exploit and publicly called out Google’s advertising infrastructure. She noted that the platform has ignored this vulnerability for years while fraudulent links continue to appear above genuine ones.
- AngelFerno drainer — scam-as-a-service tool using in-browser JavaScript to push malicious transaction approvals
- Punycode domains — Cyrillic character substitution making fake URLs visually identical to real ones
- Hidden iframes — secondary payloads invisible to Google’s automated detection systems
- Three payload types — wallet drainers, seed phrase stealers, and fake browser extensions
Affected Systems
This is not an isolated incident targeting Uniswap alone. The campaign represents a sustained, organized criminal operation that has been running for over a year, impersonating some of the most widely used platforms in decentralized finance.
According to the Security Alliance (SEAL), phishing campaigns tied to malicious Google advertisements stole more than 1.27 million USD between March 13 and March 30, 2026 alone. SEAL reported blocking over 356 malicious advertisement links over the past year and warned that the campaign remains active with continued reports from affected users.
Data from SEAL reveals the scope of brand impersonation across this campaign:
- Uniswap — most impersonated brand at 41 percent of all detected malicious sites
- Morpho Finance — second most targeted at 31 percent
- Other targets — PancakeSwap, Hyperliquid, CoW Swap, and hardware wallet manufacturer Ledger
One single theft in early March 2026 alone reached approximately 385,000 USD. SEAL noted that the actual total losses are likely significantly higher, since reliable attribution is only possible when victims come forward with complete details. The broader crypto phishing landscape is even more alarming — according to CertiK, phishing attacks drained more than 311 million USD from crypto users in January 2026 alone, with one social engineering incident accounting for 284 million USD of that total.
With Ethereum trading around 2,007 USD and Bitcoin near 73,671 USD according to CoinGecko data, the total value locked in DeFi protocols remains substantial, making these platforms persistent targets for sophisticated phishing operations.
The Mitigation Strategy
Addressing this threat requires action at multiple levels — from individual users to the advertising platforms that enable these attacks. The most immediate defensive measure is behavioral: users must never click sponsored search results when navigating to crypto platforms. Instead, they should type the URL directly into the browser address bar or use verified bookmarks.
For users who have already connected wallets to suspicious sites, the mitigation path is clear. Immediately revoke all token approvals using tools like Revoke.cash or Etherscan’s token approval checker. Transfer remaining assets to a fresh wallet that has never been connected to any suspicious dApp. If a seed phrase was entered on any site other than the official wallet application, assume the wallet is fully compromised.
At the platform level, the pressure on Google is mounting. Security researchers and industry figures have repeatedly called on the company to implement stricter verification for cryptocurrency-related advertisers. The continued appearance of fraudulent ads above legitimate results suggests that current automated detection systems are insufficient against adversaries who use sophisticated domain cloaking techniques.
Browser-level protections also play a role. Users should install phishing detection extensions such as PocketUniverse or Wallet Guard, which simulate transactions before execution and flag suspicious contract interactions. Hardware wallets like Ledger or Trezor provide an additional layer of security by requiring physical confirmation of transaction details on the device screen, making blind signature attacks far more difficult to execute.
Lessons Learned
The Uniswap Google Ads campaign exposes a fundamental tension in how users discover and access decentralized finance. Despite the ethos of decentralization and self-custody, the vast majority of users still rely on centralized Web2 infrastructure — search engines, social media, and app stores — to find crypto services. This dependency creates a concentrated attack surface that no smart contract audit can fix.
The longevity of this campaign is particularly troubling. SEAL has been tracking these Google ad-based phishing operations for over a year, yet the attack pattern remains effective. The persistence suggests that the economic incentives favor attackers — the cost of purchasing Google Ads is trivial compared to the potential returns from a single successful wallet drain. As long as advertising platforms prioritize revenue over verification, this vector will continue to produce victims.
The AngelFerno tool’s availability as a scam-as-a-service product represents another escalation. When sophisticated attack tools are commoditized and made accessible to unsophisticated actors, the volume of attacks increases dramatically. This mirrors the broader trend in cybersecurity where ransomware-as-a-service and phishing-as-a-service kits have democratized cybercrime.
The use of Punycode domains deserves special attention. This technique exploits a fundamental limitation of how humans read URLs — our brains process visually similar characters as equivalent, even when they map to entirely different domain names. Browser vendors have attempted to address this with visual warnings, but the protections remain inconsistent across platforms, and many users do not notice the subtle differences.
User Action Required
Immediate protective steps are essential for anyone who has interacted with Uniswap or any other DeFi platform through a Google search in recent weeks. Users should check their wallet approval history on Etherscan or equivalent block explorers for their chain of choice. Any approvals to unrecognized contracts should be revoked immediately.
Going forward, adopt a zero-trust approach to search engine results for crypto services. Bookmark official URLs directly. Verify domain names character by character before connecting a wallet. Consider using a dedicated browser profile or device for DeFi interactions, free from advertising tracking and unrelated extensions that could introduce vulnerabilities.
For those holding significant value in DeFi positions, a hardware wallet is no longer optional — it is a baseline security requirement. The cost of a hardware wallet is negligible compared to the cost of a single successful phishing attack. Treat every wallet connection as a high-stakes transaction that deserves careful verification, not a casual click.
The phishing landscape in 2026 is defined by scale, sophistication, and the weaponization of trusted advertising infrastructure. Staying safe requires constant vigilance and a willingness to question every link, even — especially — when it appears at the top of a Google search results page.
The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice. Always conduct independent research and verify the authenticity of any platform before connecting your wallet or transacting.
146 ETH stolen through a google ad and they still run crypto sponsored results with zero verification. google is basically an accomplice at this point
AngelFerno has been popping up on blocklists for weeks. The Punycode angle is nasty though, even a careful user could fall for that one.
the fact that a single signature can drain your whole wallet is the real problem. we need better tx simulation built into wallets by default
^ hard agree. MetaMask shows you a hex blob and expects you to know what it does. blame the victim culture in this space is wild