Google Ads Crypto Scams

Crypto users searching Google for wallet tools and DeFi apps are being funneled into scam ads that steal seed phrases or drain wallets. (gbhackers.com) A seed phrase is the master backup for a crypto wallet; anyone who gets it can rebuild the wallet and empty the funds. SEAL said attackers used Google Ads to push fake versions of wallet services and decentralized finance, or DeFi, apps, then captured those phrases or tricked users into signing malicious transactions. (gbhackers.com) SEAL said it blocked more than 356 malicious ad Uniform Resource Locator, or URL, destinations in a few weeks, and said the activity spiked in March 2026 after running at a steady pace for more than a year. Google suspended the advertiser accounts SEAL identified, but new incident reports kept coming in, according to the report summarized by GBHackers. (gbhackers.com) The mechanics are simple: the ad looks legitimate, the landing page copies a real crypto brand, and the victim is asked to connect a wallet or type a recovery phrase. In drainer attacks, the theft happens after the victim approves a blockchain transaction that quietly hands control of assets to the attacker. (gbhackers.com) (cybersecuritynews.com) Researchers said the ad campaigns use cloaking, a filtering trick that shows harmless pages to Google reviewers and security scanners while sending selected users to scam pages. One separate 2026 analysis of a service called 1Campaign said the tool was built to beat Google Ads review by blocking most traffic from cloud providers, scanners, and other likely investigators. (gbhackers.com) (cybersecuritynews.com) SEAL said some of the ads also abused trusted Google properties including sites.google.com, docs.google.com, and business.google.com so the sponsored result displayed a convincing Google-hosted address. The malicious content then loaded through secondary frames and outside infrastructure that automated checks could miss. (gbhackers.com) The campaigns did not rely on a single theft method. SEAL said it saw both drainer-as-a-service kits, including Inferno Drainer and Vanilla Drainer, and seed-phrase phishing pages that cloned hardware-wallet brands such as Ledger or pushed malicious browser extensions through Chrome Web Store links. (gbhackers.com) This fits a broader fraud pattern in which attackers buy trust instead of building it. Microsoft said in an April 16, 2025 fraud report that AI tools are making it faster and cheaper to create convincing fake websites, reviews, and storefronts at scale. (microsoft.com) For crypto users, the weak point is often the search result itself: the scam appears before the real site, carries a familiar logo, and asks for one irreversible action. Once a seed phrase is entered or a malicious transaction is signed, there is usually no chargeback, password reset, or bank fraud desk to reverse it. (gbhackers.com) (cybersecuritynews.com)