Malicious Google Ads hit crypto users

Crypto users searching Google for wallets and trading tools are being routed through malicious ads to fake sites that steal seed phrases or drain funds. (gbhackers.com) The bait is simple: attackers buy sponsored placements that mimic legitimate crypto brands, then send victims to lookalike pages asking them to connect a wallet, enter a recovery phrase, or approve a transaction. Security reporting published April 22, 2026 described the campaign as a growing pattern tied to decentralized finance apps and wallet services. (gbhackers.com) A seed phrase is the master backup for a crypto wallet, like the only spare key to a bank vault. Once a victim types that phrase into a phishing page, or signs a malicious transaction from a fake site, attackers can move assets out of the wallet with little chance of recovery. (cybersecuritynews.com, cloud.google.com) The tactic works by abusing a trusted surface: the sponsored result at the top of a Google search page. Guardio researchers previously documented a related ad abuse method, dubbed “MasquerAds,” that used Google’s advertising system to place rogue promoted results and redirect users to phishing pages controlled by threat actors. (guard.io) Crypto users have been a repeated target because a successful theft can be immediate and irreversible. SentinelOne said in 2025 that its “FreeDrain” operation had identified more than 38,000 subdomains tied to a large crypto-phishing network built to capture wallet seed phrases from people searching for wallet-related terms. (sentinelone.com) Google says it is already fighting abuse at scale. In its 2025 Ads Safety Report, published in April 2026, the company said it blocked or removed more than 8.3 billion ads in 2025, suspended 24.9 million advertiser accounts, and took action on 602 million scam-related ads linked to 4 million accounts. (blog.google) Google also maintains a certification regime for some cryptocurrency advertising. Its Ads policy says certain cryptocurrency exchanges and software wallets can advertise only if they comply with local law and receive Google certification, a rule meant to limit deceptive promotions in a category the company calls “complex and evolving.” (support.google.com, support.google.com) Researchers have also reported tools built specifically to slip malicious ads past ad reviews. Cyber Security News reported in February 2026 that a cloaking platform called “1Campaign” helped criminals show different content to Google’s systems and to real users, a technique used in phishing and crypto-theft campaigns. (cybersecuritynews.com) The pattern is wider than crypto. Malwarebytes reported in January 2025 that criminals were buying fake Google Ads ads to steal advertiser accounts, and Google’s own fraud advisory in May 2025 said “malvertising” was being used against people with crypto wallets and other high-value targets. (malwarebytes.com, blog.google) The immediate problem for users is that the scam starts before any wallet warning appears: at the search result itself. Once a fake ad looks close enough to a real brand, one click can hand over the phrase, the signature, or the money. (gbhackers.com, guard.io)