โ† All Reports

Uniswap Phishing via Google Ads: Campaign Tracking & Wallet Analysis

๐Ÿ“… 2025-05-28
phishing google-ads uniswap ethereum

Fake Uniswap Google Ads Phishing Scam Investigation Report

Investigation Date: May 26, 2026

Incident Type: Google Ads Phishing Scam

Loss Amount: $400,000+

Attacker Wallets:

  • 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb
  • 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2

๐Ÿ“‹ Executive Summary

On May 25, 2026, on-chain analyst b_block discovered that attackers were purchasing Google sponsored advertisements to impersonate the official Uniswap website, luring users to connect their wallets and sign malicious transactions, thereby stealing user assets.

As of this report, the two attacker wallets collectively hold approximately 146 ETH (valued at approximately $306,000 at the time), with total losses exceeding $400,000.

๐Ÿ” Attack Vector Analysis

Attack Flow

  • Ad Placement: Attackers purchased sponsored ads for "Uniswap" keyword on Google Search platform
  • Phishing Website: Users clicking the ad are directed to a meticulously crafted phishing website with an interface nearly identical to the official site
  • Malicious Authorization: When users connect their wallet and sign transactions, they are actually granting access permissions to a malicious contract
  • Fund Transfer: The drainer contract automatically transfers user assets to wallets controlled by the attacker

    • Attack Tools

    Security researchers identified that the phishing website utilized the AngelFerno drainer tool, a Phishing-as-a-Service (PhaaS) malware.

    Attackers also employed the following techniques to evade detection:

    • Punycode URL: Utilizing Cyrillic characters to make phishing domains visually indistinguishable from legitimate domains
    • Hidden iframe: Loading malicious code while remaining invisible to Google's automated review systems
    • Traffic Redirection: Secretly routing all user network traffic to attacker-controlled servers

    Attacker Infrastructure

    • Phishing websites utilized Google trusted services (sites.google.com, docs.google.com) to bypass detection
    • Advanced infrastructure including Cloudflare Workers, Arweave hosting for payloads, and proxy layers
    • Capable of intercepting Ethereum RPC requests and monitoring user activity in real-time

    ๐Ÿ“Š Fund Flow Analysis

    | Wallet Address | Held Assets | Estimated Value |

    |---------------|-------------|----------------|

    | 0x37925684...A49Bb | ~73 ETH + tokens | ~$153,000 |

    | 0x2fC25F46c...c5E2 | ~73 ETH + tokens | ~$153,000 |

    | Total | ~146 ETH | ~$306,000 |

    โš ๏ธ Systemic Risk Analysis

    Google Ads Platform Responsibility

    According to Security Alliance (SEAL) reports:

    • During March 2026, Google Ads phishing attacks stole approximately $1.27 million
    • SEAL blocks over 356 malicious Google ad links weekly
    • This attack pattern has persisted for over one year with no signs of slowing

    Notable Victims

    Uniswap founder Hayden Adams has publicly criticized Google's failure to effectively combat counterfeit advertisements:

    > "These scams are absolutely terrible, and we have been fighting them for years. Counterfeit scam apps impersonating our Uniswap keep appearing, despite our continuous applications to the Apple App Store, which took months to get approved."

    FBI Data

    According to FBI's "2025 Internet Crime Report":

    • Cryptocurrency-related complaints: 181,565
    • Total losses: $11.36 billion (22% year-over-year increase)
    • Average loss per victim: $62,604

    ๐Ÿ›ก๏ธ Community Protection Recommendations

  • Bookmark Verification: Manually bookmark DeFi platform URLs rather than relying on search
  • Manual URL Entry: Directly type official domain names into the browser
  • Verify Channels: Use trusted aggregators like DeFiLlama to verify protocol information
  • Regular Revocation: Use revoke.cash to regularly clean up unnecessary token approvals
  • Hardware Wallet: Use hardware wallets and carefully review each transaction
  • Ad Blocking: Consider using ad-blocking plugins and anti-phishing browser extensions

    • ๐Ÿ“ Unique Analytical Perspective

    This case reveals the contradiction between centralized platforms and decentralized finance:

    • DeFi protocols themselves are secure: Uniswap smart contracts have never been compromised
    • The problem lies at the entry point: Google search results have become accomplices for attackers
    • Irreversibility: Blockchain transactions cannot be reversed; once malicious transactions are signed, funds cannot be recovered

    This differs fundamentally from traditional cybersecurityโ€”users cannot "call customer service" or "request a refund," relying only on prevention rather than remediation.

    ๐Ÿ“š Data Sources

    Investigator: Onchain Shadow

    OPSEC Statement: This report is based on publicly available on-chain data and media reports, all information sourced from publicly available sources.

    Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.