Malicious Google Ads Target Crypto Users With Wallet Drainers and Seed Phrase Theft

Cybercriminals are now using Google’s own advertising platform to steal cryptocurrency from unsuspecting users.

They place fake ads that look exactly like real links to popular crypto applications, and when users click on them, they land on websites designed to drain their wallets or trick them into giving away their secret recovery phrases.

This type of attack is not new, but it has grown sharply in 2026. In March alone, activity reached a significant peak, with threat actors running fake ads every week for more than a year.

These campaigns targeted some of the most widely used platforms, including Uniswap, PancakeSwap, Morpho Finance, Hyperliquid, CoW Swap, and hardware wallet brand Ledger.

The scale and consistency of the operation point to a well-organized criminal effort that shows no sign of slowing down.

SecurityAlliance (SEAL) analysts identified and actively tracked multiple threat actors behind these campaigns.

Researchers noted that attackers are using three types of malicious payloads: cryptocurrency wallet drainers, seed phrase stealers, and fake browser extensions.

Wallet drainers use in-browser JavaScript to push victims into approving a harmful transaction, while seed phrase stealers present a cloned website where users are prompted to type their wallet recovery phrase directly.

Fake browser extensions distributed through Chrome Web Store links round out the attack toolkit. In just a few weeks, SEAL blocked over 356 malicious advertisement URLs, a number that reflects only a fraction of the true scale.

The financial damage confirmed so far is severe. Between March 13 and March 30, 2026, at least $1,274,259 was stolen from victims, with $810,929 directly linked to specific attacks.

One single theft in early March 2026 alone reached $385,000. SEAL notes that the actual total is likely far greater, since reliable attribution is only possible when victims come forward with full details.

Uniswap was the most impersonated brand at 41% of all detected malicious sites, followed by Morpho Finance at 31%.

How the Attack Infrastructure Works

One of the most revealing aspects of this campaign is the delivery mechanism behind the fake ads. Instead of pointing directly to a harmful page, attackers use a layered architecture that makes the threat invisible to Google’s automated detection systems.

The ad links to a page hosted on trusted Google-owned domains like sites.google.com or docs.google.com, which allows it to pass Google’s review process since the initial URL appears completely safe.

The actual malicious content loads separately through hidden iframes, paired with fingerprinting and cloaking scripts.

These scripts check whether a visitor is a security researcher or a real user, and respond differently in each case. Non-targeted visitors get sent to harmless pages like Wikipedia, while actual users are served a fully cloned version of the target application that looks visually identical to the original.

A man-in-the-middle proxy layer then intercepts all network traffic generated by the cloned interface, including Ethereum transaction calls, and routes them through the attacker’s backend before they reach any real endpoint.

This gives attackers live visibility into a victim’s wallet balance and activity. When SEAL blocks a malicious URL, the attacker’s system detects it almost immediately and relaunches the campaign with a fresh ad and a new landing page, sometimes within minutes of the takedown.

SEAL urges all cryptocurrency users to stop using Google Search when navigating to crypto applications. Users should save trusted URLs as bookmarks and access them directly every time.

For link verification, cryptocurrency-specific indexing tools like search.defillama.com can confirm the correct site before connecting a wallet.

Organizations managing digital assets should enforce strict direct-URL access policies and avoid clicking any search result, including those labeled as sponsored.

Google has suspended all advertiser accounts identified in this report, but the campaign continues as new accounts are deployed quickly. Staying alert and relying only on bookmarked links remains the most reliable protection available today.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Malicious Google Ads Target Crypto Users With Wallet Drainers and Seed Phrase Theft appeared first on Cyber Security News.