Google Ads abused for crypto scams

Crypto users searching Google for wallets and trading apps are still being routed through paid ads to fake sites that steal seed phrases or drain funds. (securityalliance.org) Security Alliance, or SEAL, said on April 21 that it had tracked multiple threat actors using Google Ads against decentralized finance apps, wallets and other crypto services. SEAL said it blocked more than 356 malicious ad URLs in recent weeks after a sharp increase it first saw in March 2026. (securityalliance.org) The scam is simple: an ad appears above search results, a user clicks, and a cloned site asks for a recovery phrase or prompts a wallet signature that hands control to the attacker. SEAL said some campaigns also pushed malicious browser extensions and used Google-hosted pages such as Sites, Docs and Business profiles to make the ads look legitimate. (securityalliance.org) A wallet drainer is code that tricks a user into approving a bad transaction in the browser, the same way a forged check can move money with a real signature. SEAL said the two drainer families it saw most often, Inferno Drainer and Vanilla Drainer, take 20% of proceeds from successful thefts as part of a “drainer-as-a-service” model. (securityalliance.org) The campaigns matter beyond crypto because they exploit the ad slot users are trained to trust most: the top sponsored result. SEAL said attackers used cloaking and fingerprinting to show clean pages to Google’s automated review systems and different pages to real targets, letting the ads stay live longer. (securityalliance.org) Google says its rules already ban this behavior. Its Misrepresentation policy prohibits ads or destinations that mislead users, and Google’s 2025 Ads Safety Report said the company blocked or removed more than 8.3 billion ads and suspended 24.9 million accounts last year, including 602 million scam-related ads and 4 million scam-linked accounts. (support.google.com, blog.google) Google also says crypto advertising is restricted and, for some categories, requires certification before ads can run. But Google’s own May 2025 scam advisory warned that “malvertising” was targeting people with crypto wallets by steering them to pages that try to bypass browser warnings and steal assets. (support.google.com, blog.google) This is not a new tactic. Check Point Research said in November 2021 that scammers used Google Ads impersonating Phantom, MetaMask and PancakeSwap, and estimated that more than $500,000 in crypto was stolen in days from 11 observed compromised wallets. (checkpoint.com) SEAL said Google has now suspended all advertiser accounts listed in its latest report, but it also told users and crypto companies to avoid Google Search for crypto apps and rely on bookmarked addresses or verified indexes instead. The warning leaves a blunt takeaway for anyone hunting for a wallet download or trading page: the sponsored link can be the trap. (securityalliance.org)