Malicious Google Ads Push Crypto Wallet Drainers and Seed Phrase Theft
Key Takeaways Sophisticated threat actors are exploiting Google’s advertising platform to target cryptocurrency users. Malicious ads lead to fake websites designed to steal crypto wallet funds...
Key Takeaways
- Sophisticated threat actors are exploiting Google’s advertising platform to target cryptocurrency users.
- Malicious ads lead to fake websites designed to steal crypto wallet funds and seed phrases, utilizing wallet drainers, seed phrase stealers, and rogue browser extensions.
- The attacks have intensified, with over $1.2 million confirmed stolen between March 13 and March 30, 2026, though the actual figure is likely higher.
- Prominent platforms like Uniswap, PancakeSwap, Morpho Finance, Hyperliquid, CoW Swap, and Ledger have been impersonated.
- Attackers employ an advanced multi-layered infrastructure to evade Google’s detection, quickly relaunching campaigns even after takedowns.
Cybersecurity researchers have uncovered an ongoing, highly organized campaign where malicious actors leverage Google’s advertising network to target cryptocurrency enthusiasts. These campaigns deploy fraudulent advertisements that mimic legitimate crypto applications, ultimately leading users to phishing sites designed to compromise their digital assets through wallet drainers and seed phrase theft, according to a recent analysis by SecurityAlliance (SEAL).
Table Of Content
This attack vector, while not entirely novel, has seen a sharp increase in activity throughout 2026. March 2026 marked a significant surge, with threat actors consistently deploying fake ads on a weekly basis for over a year. The campaigns specifically targeted widely-used platforms such as Uniswap, PancakeSwap, Morpho Finance, Hyperliquid, CoW Swap, and the hardware wallet brand Ledger.
The sustained nature and extensive reach of these operations indicate a sophisticated, well-resourced criminal enterprise operating without signs of abatement.
Attack Modus Operandi and Payloads
SEAL analysts have been actively tracking the threat actors responsible for these campaigns. Their research identified three primary types of malicious payloads: cryptocurrency wallet drainers, seed phrase stealers, and fraudulent browser extensions.
- Wallet Drainers: These typically involve injecting JavaScript into the victim’s browser, prompting them to authorize a harmful transaction that transfers funds to the attacker’s control.
- Seed Phrase Stealers: Users are directed to meticulously cloned websites that appear identical to legitimate platforms. On these fake sites, victims are tricked into entering their secret recovery (seed) phrases directly, granting attackers full access to their wallets.
- Fake Browser Extensions: Malicious browser extensions are distributed, often through deceptive links, mimicking legitimate tools within the Chrome Web Store.
In a short span of weeks, SEAL successfully blocked more than 356 malicious advertisement URLs. However, researchers caution that this figure represents only a fraction of the actual scale of the operation.
Financial Impact and Targeted Brands
The financial losses attributed to these attacks are substantial. Between March 13 and March 30, 2026, a total of $1,274,259 was stolen from victims. Of this amount, $810,929 was directly linked to specific, confirmed attacks. A single incident in early March 2026 alone resulted in a loss of $385,000. SEAL emphasizes that the true financial impact is likely much higher, as accurate attribution often relies on victims coming forward with comprehensive details.
Analysis of the impersonated brands reveals that Uniswap was the most frequently targeted, accounting for 41% of all detected malicious sites. Morpho Finance followed, being impersonated in 31% of the observed cases.

How the Attack Infrastructure Works
A critical element of this campaign’s success lies in its sophisticated delivery mechanism, designed to circumvent Google’s automated detection systems. Instead of directly linking to malicious content, the initial advertisement URL points to a page hosted on trusted Google-owned domains, such as sites.google.com or docs.google.com. This tactic allows the ad to successfully pass Google’s automated review processes, as the initial destination appears benign.
The actual malicious content is then loaded separately via hidden iframes, combined with advanced fingerprinting and cloaking scripts. These scripts play a crucial role in determining the visitor’s intent: if the visitor appears to be a security researcher or automated crawler, they are redirected to harmless pages, often on Wikipedia. Conversely, if the visitor is identified as a genuine cryptocurrency user, they are presented with a fully cloned version of the targeted application, visually indistinguishable from the legitimate site.

A man-in-the-middle proxy layer further enhances the attackers’ capabilities. This layer intercepts all network traffic generated by the cloned interface, including Ethereum transaction requests. These requests are routed through the attacker’s backend before reaching any legitimate endpoint, providing the attackers with real-time visibility into the victim’s wallet balance and activity.
The rapid response capability of these threat actors is also noteworthy. When SEAL successfully blocks a malicious URL, the attackers’ system almost immediately detects the takedown and relaunches the campaign with a new advertisement and a fresh landing page, often within minutes.
What You Should Do
- Avoid Google Search for Crypto Apps: Cease using Google Search to locate or access cryptocurrency applications.
- Bookmark Trusted URLs: Always save the legitimate URLs of your cryptocurrency platforms as bookmarks and access them directly.
- Verify Links with Indexing Tools: Utilize cryptocurrency-specific indexing tools, such as search.defillama.com, to confirm the authenticity of a site before connecting your wallet.
- Enforce Direct Access Policies: Organizations managing digital assets should implement strict policies mandating direct-URL access and prohibiting clicks on any search results, including sponsored advertisements.
- Stay Vigilant: Despite Google’s efforts to suspend identified advertiser accounts, the campaign’s rapid redeployment necessitates extreme caution. Relying solely on bookmarked links remains the most effective defense.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.