← All Reports

Uniswap Phishing Ads: Google Ad Campaign Targeting DeFi Users

📅 2025-05-29
phishing google-ads defi uniswap

Uniswap Google Ad Phishing Attack - Investigation Report

Date: May 29, 2026

Case ID: ONCHAIN-2026-0529-001

Status: Active - Ongoing Scam

Executive Summary

Google's advertising platform has been weaponized by scammers to drain crypto wallets through fake Uniswap phishing sites. Over $400,000 has been stolen from users searching for Uniswap on Google, with two primary attacker wallets identified holding approximately 146 ETH (~$306,000).

Incident Timeline

| Date | Event |

|------|-------|

| May 25, 2026 | On-chain investigator @b_block_oficial identifies attack |

| May 26, 2026 | Community alerts spread via Twitter/X |

| May 27, 2026 | Multiple news outlets report the incident |

| Ongoing | Scam continues - Google has not taken action |

Attacker Wallet Addresses

Primary Drain Wallet 1: 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb

Primary Drain Wallet 2: 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2

Current Holdings (as of May 26):

  • Wallet 1 + Wallet 2: ~146 ETH (~$306,000)
  • Additional tokens (unspecified)
  • Total estimated theft: ≥$400,000

Attack Methodology

Phase 1: Ad Placement

  • Scammers purchase Google sponsored ads for "Uniswap" keyword
  • Outbid legitimate Uniswap protocol to secure top position
  • Use hacked or fraudulently obtained Google advertiser accounts

Phase 2: Cloaking & Evasion

  • Phishing URLs use authentic-looking domains
  • Hidden secondary element loads malicious code
  • Advanced infrastructure includes:

- Cloudflare Workers

- Arweave-hosted payloads

- Traffic redirection systems

- Proxy layers monitoring user RPC requests

  • Techniques bypass Google's automated review systems

Phase 3: Wallet Drain

  • Victims land on convincing Uniswap replica
  • Malicious site intercepts Ethereum RPC requests
  • Silent drain of connected wallets
  • No seed phrase needed - one wrong signature drains everything

Scale of the Problem

SEAL Organization Findings

The Security Alliance (SEAL) has been tracking this pattern:

  • Sharp rise in March 2026: $1.27 million stolen (March 13-30)
  • 356+ malicious Google ad URLs blocked (typical weekly volume)
  • Pattern has sustained for over a year
  • Uniswap accounts for 41% of tracked malicious websites

Other Targeted Platforms

  • Morpho Finance
  • PancakeSwap
  • Hyperliquid
  • CoW Swap
  • 1inch
  • Ledger (phishing emails post-data breach)

Drainer Families Identified

  • Inferno Drainer
  • Vanilla Drainer

Community Response

@b_block_oficial Alert

> "Two scammers have already stolen ~$400,000 from users through a phishing @Uniswap ad on Google. It's insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained."

@StacyMuur (GREEND0TS Founder)

Shared screenshots of malicious ads appearing as top sponsored results. Confirmed scam site closely replicates official Uniswap interface.

@DeFiLlama

Echoed concerns, calling fake Google ads a "common and recurring source of phishing attacks targeting the crypto community."

Regulatory & Legal Context

Google Responsibility

  • Google has been aware of crypto phishing ads for over a year
  • No effective prevention measures implemented
  • Continues to profit from ad purchases by bad actors
  • No statement or remediation announced

Victim Protection Guidelines

  • Only use official links: Verify via official channels (defillama.com, coinmarketcap.com)
  • Check URLs carefully: Even slight misspellings indicate phishing
  • Use hardware wallets: For significant holdings
  • Review approvals regularly: Use revoke.cash to check/remove suspicious approvals
  • Never sign blind transactions: Read all transaction details before signing
  • Be skeptical of search results: Sponsored = Paid, not verified

    • On-Chain Evidence Links

    • Original alert tweet with wallet addresses: Twitter/X Link
    • SEAL Report: Phishing campaign analysis

    ZachXBT Angle

    This case is NOT suitable for ZachXBT coverage because:

    • Attack methodology is well-documented by other analysts
    • No new unique investigative angle
    • Attack is ongoing rather than concluded
    • However, Google's complicity in perpetuating this scam deserves wider exposure

    Conclusion

    This incident highlights the ongoing failure of Google to protect users from cryptocurrency phishing scams on its advertising platform. Despite repeated warnings from the security community, fake Uniswap ads continue to appear as top search results, resulting in ongoing losses exceeding $400,000.

    Key Takeaway: Google profits from ads while users lose life-changing money. The platform has shown no willingness to implement meaningful safeguards despite over a year of documented attacks.

    Investigation conducted by on-chain-shadow

    Report generated: May 29, 2026

    GitHub Pages: https://onchain-shadow.github.io/on-chain-investigations/