By rssfeeds-admin 
In March 2026, SEAL observed a significant surge in malicious Google Ads activity targeting DeFi applications, wallets, and other cryptocurrency services.
Over a three-week window alone, analysts successfully blocked 356 malicious advertisement URLs, a number that reflects a steady weekly volume maintained for over a year, and the campaign is still growing, with reports from affected users continuing to increase.
Google has since suspended all advertiser accounts identified in SEAL’s report.
How the Attack Works
Threat actors behind this campaign are operating at a sophisticated level, exploiting two key access vectors: hacked advertiser accounts and verified accounts purchased from criminal marketplaces.
Rather than registering new, suspicious domains, attackers abuse high-reputation Google-owned URLs such as sites.google.com, docs.google.com, and business.google.com as their primary display frames.
Because Google Search renders these URLs with legitimate titles, descriptions, and logos, the ads appear completely authentic to unsuspecting users.
The core evasion technique involves cloaking and fingerprinting.
A three-component payload architecture separates the attack surface across multiple hosts: a thin entry document hosted on Arweave’s permanent decentralized storage (irys.xyz), a full-clone frontend application served from a Cloudflare Workers instance (workers.dev), and obfuscated malicious scripts totaling 2.7 MB.
Critically, Google’s automated ad review systems may only inspect the benign primary frame the actual attack payload is loaded independently in a nested iframe invisible to automated scanners.
A Traffic Distribution System (TDS) redirects non-targeted users (those in the wrong geography, on the wrong OS, or using developer tools) to a harmless Wikipedia page, effectively shielding the attack from researchers.
The most technically alarming component is a man-in-the-middle proxy layer embedded in the cloned interface.
Two configuration scripts api-config.js and config.js monkey-patch both window. fetch and XMLHttpRequest, silently rerouting all network calls through the attacker’s backend domain (thirdtemple.top).
This means every Ethereum RPC call, including eth_sendTransaction and eth_signTypedData, passes through attacker-controlled servers before reaching any real node, giving operators complete real-time visibility into wallet addresses, balances, and transaction data.
The Uniswap GraphQL endpoint is similarly proxied, letting attackers monitor active token positions and inject targeted payloads based on individual victim wallet balances.
SEAL is tracking three primary payload categories deployed through these campaigns.
The first involves cryptocurrency drainers in-browser JavaScript that tricks users into signing malicious transactions, effectively transferring control of their wallets to the attacker.
Inferno Drainer and Vanilla Drainer are the two most observed families, both operating as drainer-as-a-service (DaaS) platforms that charge operators 20% of all stolen proceeds in exchange for built-in obfuscation, transaction signature generation, and automated deployment infrastructure.
The second payload category targets hardware wallet users with seed-phrase stealers security alliance cloned interfaces for platforms like Ledger that prompt victims to enter their wallet recovery phrase directly on a fraudulent site.
The third category involves malicious browser extensions distributed via direct Chrome Web Store links that silently capture recovery phrases in the background.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Fake Google Ads Used To Steal Seed Phrases and Drain Crypto Wallets appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.