Google ad scams tighten grip on crypto

Google search advertising is being exploited in a widening campaign that lures cryptocurrency users to convincing fake sites, where attackers steal seed phrases, hijack wallet sessions and drain digital assets within minutes. Security researchers tracking the operation say the abuse is no longer sporadic but part of a sustained and technically refined effort that targets people searching for DeFi services, wallet tools and other crypto platforms.

What makes the campaign especially dangerous is the use of Google’s own trusted web properties as part of the deception. Attackers have been using display frames and redirect paths tied to services such as Google Sites, Google Docs and Google Business pages so that advertisements appear legitimate at a glance, often carrying familiar branding, polished copy and links that do not immediately look suspicious. For a user typing the name of a wallet or exchange into search, the fake listing can resemble the real thing closely enough to lower suspicion before the click is made.

Researchers say the infrastructure behind the scheme has been engineered to evade both automated ad screening and manual inspection. In one observed pattern, the visible page shown to scanners is benign, while the malicious content is loaded separately through hidden layers once a target fits the attacker’s criteria. Traffic is filtered by geography, operating system and browser behaviour, and people who appear to be analysts or automated systems can be bounced to harmless destinations such as Wikipedia. That selective cloaking allows the campaign to stay active for longer and makes takedowns harder.

The theft methods vary, but they follow a familiar logic: gain trust, prompt urgency and move quickly. One route is the classic seed-phrase trap, where a counterfeit wallet or support page asks the victim to restore access by entering recovery words that should never be shared online. Another route is the browser-based drainer, which persuades the user to connect a wallet and approve what appears to be an ordinary transaction or signature request. Once permission is granted, the malicious code can transfer tokens, empty balances or selectively seize the most valuable assets. Security researchers describe this as a highly automated form of theft rather than a crude one-off scam.

The campaign also reflects how crypto fraud is becoming more modular and commercialised. Drainer operations increasingly resemble a service industry inside cybercrime, with toolkits, affiliate models and revenue-sharing arrangements that allow less skilled operators to run sophisticated scams. In the cases highlighted this week, researchers said two of the most frequently observed drainer families were Inferno Drainer and Vanilla Drainer, both tied to an ecosystem in which operators can rent infrastructure, obfuscation and transaction-generation tools in exchange for a cut of stolen proceeds. That lowers the barrier to entry and helps attacks scale.

Another notable shift is the widening of the target pool beyond individual retail users. The same malicious ad infrastructure has been used against crypto-focused organisations, developers and staff who may be searching for legitimate services as part of their work. Researchers say cloned front ends can include proxy layers that intercept network requests in real time, giving attackers visibility into wallet balances, transaction details and connected accounts before a victim realises anything is wrong. That means the attack is not limited to harvesting passwords or phrases; it can also enable more tailored, high-value theft based on what the victim appears to hold.

This surge comes as Google says it has strengthened its ad safety systems sharply. The company’s latest safety figures show more than 8.3 billion ads were blocked or removed in 2025, with over 99% of policy-violating ads stopped before they ran, alongside the suspension of 24.9 million advertiser accounts. Scam-related enforcement alone covered 602 million ads and 4 million accounts. Those numbers show both the scale of the response and the scale of the abuse still pressing against major ad platforms.

The tension at the centre of the problem is that search advertising remains one of the fastest ways for users to find crypto tools, while the same system gives criminals a route to intercept intent at the exact moment a person is looking for a wallet, bridge or decentralised exchange. That is why malicious search ads continue to matter even after earlier waves of drainer attacks linked to social platforms, cloned websites and poisoned search results. Security firms have been warning for years that victims often lose funds not because they downloaded malware, but because they were nudged into signing the wrong transaction on a page that looked authentic enough.