Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Device Code Phishing Attack Steals Tokens via Login Page
July 6, 2026
Critical Gemini Live Voice flaw lets attackers inject tools via misconfigured tokens
July 6, 2026
Gentlemen Ransomware Exploits 21 Remote Execution Techniques
July 6, 2026
Home/Threats/Malicious Google Ads Push Crypto Wallet Drainers and Seed Phrase Theft
Threats

Malicious Google Ads Push Crypto Wallet Drainers and Seed Phrase Theft

Key Takeaways Sophisticated threat actors are exploiting Google’s advertising platform to target cryptocurrency users. Malicious ads lead to fake websites designed to steal crypto wallet funds...

Sarah simpson
Sarah simpson
April 22, 2026 4 Min Read
46 0

Key Takeaways

  • Sophisticated threat actors are exploiting Google’s advertising platform to target cryptocurrency users.
  • Malicious ads lead to fake websites designed to steal crypto wallet funds and seed phrases, utilizing wallet drainers, seed phrase stealers, and rogue browser extensions.
  • The attacks have intensified, with over $1.2 million confirmed stolen between March 13 and March 30, 2026, though the actual figure is likely higher.
  • Prominent platforms like Uniswap, PancakeSwap, Morpho Finance, Hyperliquid, CoW Swap, and Ledger have been impersonated.
  • Attackers employ an advanced multi-layered infrastructure to evade Google’s detection, quickly relaunching campaigns even after takedowns.

Cybersecurity researchers have uncovered an ongoing, highly organized campaign where malicious actors leverage Google’s advertising network to target cryptocurrency enthusiasts. These campaigns deploy fraudulent advertisements that mimic legitimate crypto applications, ultimately leading users to phishing sites designed to compromise their digital assets through wallet drainers and seed phrase theft, according to a recent analysis by SecurityAlliance (SEAL).

Table Of Content

  • Key Takeaways
  • Attack Modus Operandi and Payloads
  • Financial Impact and Targeted Brands
  • How the Attack Infrastructure Works
  • What You Should Do

This attack vector, while not entirely novel, has seen a sharp increase in activity throughout 2026. March 2026 marked a significant surge, with threat actors consistently deploying fake ads on a weekly basis for over a year. The campaigns specifically targeted widely-used platforms such as Uniswap, PancakeSwap, Morpho Finance, Hyperliquid, CoW Swap, and the hardware wallet brand Ledger.

The sustained nature and extensive reach of these operations indicate a sophisticated, well-resourced criminal enterprise operating without signs of abatement.

Attack Modus Operandi and Payloads

SEAL analysts have been actively tracking the threat actors responsible for these campaigns. Their research identified three primary types of malicious payloads: cryptocurrency wallet drainers, seed phrase stealers, and fraudulent browser extensions.

  • Wallet Drainers: These typically involve injecting JavaScript into the victim’s browser, prompting them to authorize a harmful transaction that transfers funds to the attacker’s control.
  • Seed Phrase Stealers: Users are directed to meticulously cloned websites that appear identical to legitimate platforms. On these fake sites, victims are tricked into entering their secret recovery (seed) phrases directly, granting attackers full access to their wallets.
  • Fake Browser Extensions: Malicious browser extensions are distributed, often through deceptive links, mimicking legitimate tools within the Chrome Web Store.

In a short span of weeks, SEAL successfully blocked more than 356 malicious advertisement URLs. However, researchers caution that this figure represents only a fraction of the actual scale of the operation.

Financial Impact and Targeted Brands

The financial losses attributed to these attacks are substantial. Between March 13 and March 30, 2026, a total of $1,274,259 was stolen from victims. Of this amount, $810,929 was directly linked to specific, confirmed attacks. A single incident in early March 2026 alone resulted in a loss of $385,000. SEAL emphasizes that the true financial impact is likely much higher, as accurate attribution often relies on victims coming forward with comprehensive details.

Analysis of the impersonated brands reveals that Uniswap was the most frequently targeted, accounting for 41% of all detected malicious sites. Morpho Finance followed, being impersonated in 31% of the observed cases.

Brand Impersonation (Source - SecurityAlliance)
Brand Impersonation (Source – SecurityAlliance)

How the Attack Infrastructure Works

A critical element of this campaign’s success lies in its sophisticated delivery mechanism, designed to circumvent Google’s automated detection systems. Instead of directly linking to malicious content, the initial advertisement URL points to a page hosted on trusted Google-owned domains, such as sites.google.com or docs.google.com. This tactic allows the ad to successfully pass Google’s automated review processes, as the initial destination appears benign.

The actual malicious content is then loaded separately via hidden iframes, combined with advanced fingerprinting and cloaking scripts. These scripts play a crucial role in determining the visitor’s intent: if the visitor appears to be a security researcher or automated crawler, they are redirected to harmless pages, often on Wikipedia. Conversely, if the visitor is identified as a genuine cryptocurrency user, they are presented with a fully cloned version of the targeted application, visually indistinguishable from the legitimate site.

Fake ads (Source - SecurityAlliance)
Fake ads (Source – SecurityAlliance)

A man-in-the-middle proxy layer further enhances the attackers’ capabilities. This layer intercepts all network traffic generated by the cloned interface, including Ethereum transaction requests. These requests are routed through the attacker’s backend before reaching any legitimate endpoint, providing the attackers with real-time visibility into the victim’s wallet balance and activity.

The rapid response capability of these threat actors is also noteworthy. When SEAL successfully blocks a malicious URL, the attackers’ system almost immediately detects the takedown and relaunches the campaign with a new advertisement and a fresh landing page, often within minutes.

What You Should Do

  • Avoid Google Search for Crypto Apps: Cease using Google Search to locate or access cryptocurrency applications.
  • Bookmark Trusted URLs: Always save the legitimate URLs of your cryptocurrency platforms as bookmarks and access them directly.
  • Verify Links with Indexing Tools: Utilize cryptocurrency-specific indexing tools, such as search.defillama.com, to confirm the authenticity of a site before connecting your wallet.
  • Enforce Direct Access Policies: Organizations managing digital assets should implement strict policies mandating direct-URL access and prohibiting clicks on any search results, including sponsored advertisements.
  • Stay Vigilant: Despite Google’s efforts to suspend identified advertiser accounts, the campaign’s rapid redeployment necessitates extreme caution. Relying solely on bookmarked links remains the most effective defense.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Cybercriminals Exploit French Fintech Accounts to Launder Stolen Funds

Next Post

Fake GitHub Repositories Deliver SmartLoader and StealC Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Microsoft Edge Bug (CVE-2024-XXXX) Lets Attackers Run Code Remotely
July 6, 2026
Windows 11 24H2, 25H2 Bug Triggers Black Screens, Start Menu Failure
July 6, 2026
IBM WebSphere Flaws Let Attackers Exploit XSS, Path Traversal
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us