Google Ads Weaponized for Crypto Theft

The traditional security perimeter is shifting. Malicious actors are increasingly bypassing technical firewalls by exploiting the one thing users trust most: the search engine results page (SERP). We are witnessing a sophisticated evolution in phishing, where malicious Google Ads are being weaponized to target DeFi enthusiasts and crypto holders, aiming to drain liquidity from wallets and harvest sensitive seed phrases through highly convincing social engineering.

Recent intelligence gathered by SEAL reveals a sustained, technically mature operation. These threat actors aren’t just running simple scams; they are executing advanced campaigns designed to evade Google’s automated heuristic defenses while simultaneously targeting both retail investors and established crypto organizations.

The scale of this activity is immense. In a single window of just a few weeks, SEAL successfully mitigated more than 356 malicious ad URLs. This high churn rate indicates a “disposable infrastructure” model, where attackers rapidly deploy new landing pages and ad creatives the moment an older version is flagged and taken down.

While Google has responded by suspending several identified advertiser accounts, the sheer volume of new incident reports suggests that the broader ecosystem abuse remains a systemic challenge that is far from contained.

SEAL is currently tracking multiple threat actors leveraging Google’s advertising ecosystem to promote counterfeit DeFi applications and wallet services. This wave of activity saw a significant spike in March 2026 and has maintained a steady, high-pressure cadence for over a year.

A threat actor on a crime forum (Source : SEAL).
A threat actor participating in a criminal forum discussion (Source: SEAL).

To maintain their foothold, these campaigns employ sophisticated cloaking and fingerprinting techniques. By analyzing the visitor’s metadata (such as IP address, user agent, and geolocation), the malicious server can distinguish between a legitimate user and a security researcher or Google’s crawling bots. If a bot is detected, the server redirects it to benign content—such as legitimate documentation or Wikipedia—to avoid detection, while only serving the malicious payload to the intended victims.

Exploiting High-Reputation Ecosystems

A key component of this strategy is the abuse of high-reputation Google properties. Attackers utilize domains like sites.google.com, docs.google.com, and business.google.com to serve as the “primary frame” for their advertisements. This ensures that when a user views a search result, the URL, title, and favicon appear entirely legitimate, effectively camouflageing the attack within Google’s own trusted ecosystem.

Response to SEAL notification by one of affected, legitimate, advertisers (Source : SEAL).
An instance of a legitimate advertiser responding to a security notification (Source: SEAL).

The technical “sleight of hand” occurs behind this facade. The malicious payload is typically hosted within secondary iframes or on off-platform infrastructure. Because automated policy scanners often only inspect the high-reputation “wrapper” (the benign Google site), they frequently miss the actual attack surface hidden in the nested layers.

Access to these ad slots is acquired through two primary methods: compromising legitimate advertiser accounts or purchasing “verified” accounts on underground marketplaces. There is documented evidence of high-profile brand accounts, including those associated with major tech corporations, being hijacked to push these fraudulent crypto ads.

SEAL has identified several “Drainer-as-a-Service” (DaaS) families driving these campaigns, most notably Inferno Drainer and Vanilla Drainer. These JavaScript-based tools are designed to intercept and trick users into signing malicious blockchain transactions via their browser. To the user, the interface looks like a standard wallet interaction; in reality, they are granting the attacker permission to transfer all assets to an external address.

Other variants focus on traditional credential harvesting by cloning hardware wallet interfaces, such as Ledger, to prompt users for their recovery phrases, or by distributing malicious Chrome Web Store extensions designed to exfiltrate wallet data.

Description (Source :SEAL).
Technical breakdown of the phishing workflow (Source: SEAL).

The DaaS business model is highly efficient: operators provide the obfuscation, automated deployment, and transaction generation infrastructure, taking a “commission” of approximately 20% from every successful theft. This lowers the barrier to entry, allowing low-skill actors to execute high-impact campaigns.

Deep Dive: Front-End and Proxy Architecture

Modern campaigns utilize a sophisticated three-layer web architecture to maximize evasion and control:

  1. The Entry Layer: A lightweight “entry document” is often hosted on decentralized or Arweave-backed domains (e.g., arweave.mainnet.irys.xyz). This document spoofs the target protocol’s metadata and uses hardcoded configuration variables to point all subsequent requests to a Cloudflare Workers instance.
  2. The Presentation Layer: The cloned front end is often several megabytes in size, creating a near-pixel-perfect replica of platforms like Uniswap. To increase perceived legitimacy, these sites dynamically pull token imagery from trusted sources like CoinGecko or Trust Wallet.
  3. The Proxy/Execution Layer: Obfuscated payloads rely on runtime code construction and compressed strings to hide from static analysis. A Man-in-the-Middle (MitM) proxy layer transparently reroutes all API, GraphQL, and Ethereum RPC traffic through attacker-controlled domains (e.g., thirdtemple.top).

This proxy architecture is particularly dangerous. It grants operators full visibility into the victim’s wallet balances and real-time transaction history, allowing them to inject tailored, high-value payloads based on the specific assets a user holds. Furthermore, these scripts include logic to wipe browser caches and simulate normal behavior to bypass automated security checks.

The ecosystem is currently locked in a high-speed cat-and-mouse game. When a URL is blacklisted by open-source security lists, the backend infrastructure automatically regenerates new ad creatives and landing pages, often burying the final payload behind chains of iframes that mimic commercial Traffic Distribution Systems (TDS).

How to Protect Yourself and Your Organization

As these attacks become more seamless, users must adopt a “Zero Trust” approach to web navigation:

  • Avoid Search-Engine Navigation: Never use Google or Bing to find your wallet or DeFi platform. Instead, rely exclusively on verified bookmarks or manually typed URLs.
  • Use Verified Indexers: Cross-reference services through reputable, crypto-specific tools like DefiLlama.
  • Protect Your Seed Phrase: Under no circumstances should you ever enter your seed phrase, private keys, or recovery data into a web form, regardless of how “official” the website appears.

Related Articles

Back to top button