Fake Uniswap Google Ads Drain $400K in Phishing Exploit

Alex Reeve May 26, 2026

3 min read

Uniswap users face an aggressive phishing campaign today as scammers exploit Google’s advertising infrastructure to exfiltrate at least $400,000. The campaign utilizes paid search results to direct unsuspecting traders to counterfeit platforms that mirror the legitimate decentralized exchange interface.

Scammers utilize fake Google Ads to clone the Uniswap interface and exfiltrate over $400,000 from decentralized finance users.
Security researchers track stolen assets to two specific attacker addresses holding nearly four hundred thousand dollars in exfiltrated digital tokens.
Malicious actors outbid Uniswap for official brand keywords, turning Google sponsored search results into a high-velocity vector for drainage scripts.

Listen to this article

READY

On-chain analyst b-block issued an alert Monday, identifying a network of malicious websites draining funds from connected wallets. Attackers reportedly purchased sponsored search results for the keyword “Uniswap” to capture traffic from users looking for the protocol’s swap interface.

Security researchers tracked the stolen assets to two primary attacker addresses: 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb and 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2. Stacy Muur, founder of the marketing agency Green Dots, confirmed that victims clicked on paid Google ads under the impression they were accessing legitimate protocol links.

The Security Alliance (SEAL), a crypto-focused nonprofit, previously documented a sharp increase in Google Search phishing campaigns beginning in March 2026. Malicious actors gained access to legitimate advertiser accounts or outbid protocols for their own brand names to execute these thefts.

Operational mechanics relied on the high-quality cloning of the Uniswap frontend. Fraudulent advertisements appeared at the top of search queries, prompting users to connect wallets and grant broad token approvals. Malicious smart contracts then triggered the immediate drain of assets. Analysts observed that even experienced decentralized finance participants suffered losses due to the precision of the clones.

Advertisement · Press Release

Genuine News Deserves Honest Attention.

High-conviction projects require an intelligent audience. Connect with readers who value sharp reporting.

👉 Submit Your PR

Law enforcement and security firms recommended that users avoid search-engine navigation for financial applications. Suggested precautions included the use of bookmarks for verified interfaces such as app.uniswap.org and the use of aggregators such as DeFiLlama to confirm protocol URLs. Regular audits of token approvals via services like revoke.cash remained the primary defense against persistent draining scripts.

Persistent challenges in malvertising on major search platforms highlighted the need for heightened vigilance. Even as developers improve protocol-level security, the human element remains a primary vector for exploitation when attackers leverage trusted advertising channels.

Chain Street’s Take

The Uniswap campaign reveals a systemic failure in the screening processes of major search engines. Attackers are effectively paying for the legitimacy that Google’s “Sponsored” tag provides to bypass the critical thinking of retail investors. Decentralized protocols continue to harden their code, yet the gateway to those protocols remains a centralized vulnerability controlled by ad-tech algorithms. As long as search results are for sale to the highest bidder, the responsibility for security falls entirely on the individual to manage approvals and ignore paid results.

0views·1AI reads

CHAIN STREET INTELLIGENCE

Activate Intelligence Layer

Institutional-grade structural analysis for this article.

FAQ

Frequently Asked Questions

What is a Uniswap phishing scam?

A Uniswap phishing scam uses counterfeit websites to mimic the legitimate protocol interface and steal user digital assets. Scammers purchase Google Ads to place these malicious clones at the top of search engine results pages. Victims unknowingly authorize broad token permissions that allow attackers to drain wallets instantly.

Why does this matter for the DeFi industry?

Phishing campaigns via search engines undermine institutional trust in decentralized protocols by targeting the primary entry points for retail traders. High-profile exploits involving Uniswap brand keywords force users to adopt manual verification methods like browser bookmarks. This trend highlights a persistent security failure in the centralized advertising infrastructure used by global tech firms.

How do scammers execute Google Ad drainer attacks?

Attackers hijack established advertiser accounts to bypass security filters and outbid legitimate projects for high-traffic financial keywords. Stacy Muur reports that these malicious ads lead users to high-fidelity clones of the app.uniswap.org frontend. Once a wallet connects, the site executes malicious code to transfer all liquid tokens to attacker-controlled addresses.

What are the risks of using search results for crypto?

Using search engines to find financial applications exposes users to malvertising risks that bypass standard browser security warnings. Scammers exploit the perceived legitimacy of the Google Sponsored tag to deceive even experienced decentralized finance participants. Security organizations like SEAL recommend auditing active token approvals through services such as revoke.cash to mitigate ongoing threats.

How will platforms improve security against phishing?

Major protocols and security groups are advocating for stricter screening protocols within the Google advertising ecosystem to prevent keyword hijacking. Platforms like DeFiLlama and MetaMask encourage users to rely on verified link registries rather than paid search results. The industry is moving toward mandatory hardware-based authentication to block unauthorized permission grants during high-velocity swaps.