Fake Uniswap Google Ads Drain $400K In Wallet Phishing Scam

On May 26, 2026, on-chain analyst b-block issued a public warning that scammers were actively draining cryptocurrency wallets through fraudulent Google Search advertisements impersonating Uniswap. The attackers purchased sponsored ad placements that appeared above legitimate organic search results for the keyword "Uniswap," directing unsuspecting users to meticulously cloned interfaces. At least $400,000 in funds were confirmed stolen, with two identified attacker wallets (0x37925684BA178821b4436E06e67f5dBD6cfA49Bb and 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2 on Ethereum) collectively holding 146 ETH, worth approximately $306,000 at the time of reporting. The attack leveraged a scam-as-a-service tool known as AngelFerno, a wallet drainer script that operates through in-browser JavaScript. When victims connected their wallets to the phishing site and approved what appeared to be standard Uniswap transactions, the malicious contracts instead granted unlimited token approvals to the attackers. Once approved, funds were drained automatically without requiring private keys or further user interaction. The phishing sites employed Punycode URLs and Google ad cloaking techniques to pass automated ad review checks while still exposing real users to the malicious payload. The incident is part of a much larger pattern documented by Security Alliance (SEAL), which has blocked 356 malicious advertisement links targeting crypto protocols since March 2026. These campaigns have collectively produced $1.27 million in confirmed losses. Uniswap was the most frequently targeted protocol, accounting for 41% of phishing sites, followed by Morpho Finance at 31%, with PancakeSwap, Hyperliquid, CoW Swap, and Ledger also targeted. One prominent victim, crypto trader @ika_xbt, reported losing their entire portfolio in the attack. Uniswap founder Hayden Adams publicly criticized Google and other search platforms for their inadequate response to scam advertisements. Despite repeated reports from security researchers and affected users, the fraudulent ads have continued to appear in search results. The irreversible nature of blockchain transactions means victims have no recourse for recovering stolen funds once approvals are exploited. Users should take several precautionary steps to protect themselves from search ad phishing attacks. Bookmark verified DeFi protocol URLs directly and never access them through search engine results or sponsored ads. Before approving any transaction, carefully verify the website domain matches the official protocol address. Hardware wallets with on-device transaction confirmation provide an additional layer of protection, as they display the actual contract interaction for user review. Regularly checking and revoking unnecessary token approvals using tools like Revoke.cash can also limit exposure to previously compromised approvals. This campaign reflects an escalating trend in which attackers exploit the trust users place in search engine results rather than targeting smart contract vulnerabilities directly. As DeFi adoption grows, phishing through legitimate advertising channels has become one of the most cost-effective attack vectors, underscoring the need for both platform-level protections and individual user vigilance.