In a troubling reminder of the growing sophistication of crypto scams, one DeFi user lost over $1.23 million in Uniswap NFTs after unknowingly interacting with a phishing website promoted through Google Ads.
The incident, which occurred on Monday, July 21, highlights a dangerous trend: scammers are leveraging trusted platforms like Google to trick unsuspecting users into signing away their assets. In this case, a user was led to a fraudulent website designed to mimic the Uniswap interface. Once there, they were prompted to sign what appeared to be a harmless transaction.
But that single signature was all the scammers needed.
A Single Signature, Millions Lost
According to blockchain security platform Scam Sniffer, the malicious transaction included a hidden approval clause essentially granting the attacker ongoing access to all assets in the user’s wallet. With this approval in place, the attacker swiftly drained the victim’s Uniswap V3 NFTs.
What makes this attack particularly dangerous is that no private keys were stolen. The user didn’t hand over seed phrases or passwords they simply signed a smart contract that seemed legitimate. That’s all it took.
Phishing Sites Thrive on Google Ads
Scam Sniffer didn’t identify the exact phishing domain used in this case, but noted that these scams are alarmingly common across the web especially on Google Ads. Fraudsters often employ Punycode, a technique that uses characters from other alphabets (like Cyrillic) to create URLs that look nearly identical to real ones. For example, “uniswap.com” could be subtly altered to trick the human eye, all while bypassing casual scrutiny.
These fake sites are then promoted via Google Ads, often appearing as the top search result when users look up legitimate platforms like Uniswap, Aave, or MetaMask. That means even the most cautious users can be lured into clicking on a scam especially if the top link looks official.
A Bigger Problem for Google?
This isn’t just a one-off case. The sheer volume of phishing sites appearing through Google Ads suggests a deeper problem. Critics argue that Google isn’t doing enough to vet its advertisers, despite the clear harm to users and the crypto industry.
Worse still, Google is profiting from the clicks earning revenue from each interaction with these malicious ads.
The Bottom Line
This latest scam is a harsh wake-up call for the crypto community. Even a simple click on a search result can lead to devastating losses if users aren’t careful. It also puts pressure on platforms like Google to take responsibility for the ads they host especially when they’re being used to facilitate multi-million dollar thefts.
