Google Ads Crypto Scams
- Malicious Google Ads are being used to target crypto users with wallet-draining scams and seed-phrase theft. - Security researchers report attackers exploit ad placements to phish seed phrases and distribute wallet-draining malware. - As ad automation increases, verification needs to scale and businesses must guard against new ad-platform exploitation paths (gbhackers.com) (cybersecuritynews.com).
Crypto users searching Google for wallet apps and trading sites are being steered into paid ads that steal recovery phrases or trick them into signing away funds. (securityalliance.org) Security Alliance, or SEAL, said on April 21 that it had blocked more than 356 malicious ad URLs in recent weeks and saw a “significant uptick” in March 2026. The group said the campaigns have run at a steady weekly volume for more than a year. (securityalliance.org) A wallet drainer is code that pops up a real-looking crypto transaction and gets the victim to approve it; once signed, the attacker gains control of the assets. SEAL said other ads sent users to cloned sites that asked directly for a seed phrase, the recovery words that unlock a wallet. (securityalliance.org) SEAL said the ads targeted decentralized finance sites, wallets, and hardware-wallet brands including Ledger. It also said some campaigns pushed malicious browser extensions through direct links to the Chrome Web Store. (securityalliance.org) The campaigns worked by abusing Google’s ad-review system rather than breaking crypto software itself. SEAL said attackers used hacked advertiser accounts or bought verified ones, then hid malicious destinations behind high-reputation Google-hosted pages such as sites.google.com, docs.google.com, and business.google.com. (securityalliance.org) Google’s own policy pages say some crypto ads are allowed, but ads for decentralized finance trading protocols and unhosted software wallets are prohibited. Google also says impersonation, scamming users, and other misrepresentation can trigger immediate account suspension without warning. (support.google.com 1) (support.google.com 2) SEAL said Google suspended all advertiser accounts listed in its report after the group documented them. The researchers also said automated checks were being bypassed often enough that they now advise crypto users and organizations not to use Google Search to find crypto applications. (securityalliance.org) The mechanics are simple: a fake ad appears above the real result, the landing page copies a familiar brand, and the theft happens when the user enters a seed phrase or approves a transaction. SEAL said two drainer families, Inferno Drainer and Vanilla Drainer, appeared most often in the campaigns it tracked. (securityalliance.org) Those tools are sold as services to other criminals. SEAL said Inferno Drainer and Vanilla Drainer include obfuscation, malicious signature generation, and automated deployment, and take 20% of proceeds from each successful theft. (securityalliance.org) Google’s Transparency Center says its ad policies are meant to define what is acceptable on the platform. SEAL’s warning shows the gap between written rules and paid search results can still be large enough for a fake wallet link to outrank the real one. (transparency.google) (securityalliance.org)
