A fake website impersonating Uniswap has drained funds from multiple crypto wallets, with scammers controlling at least $400,000 in stolen assets. On-chain analyst b-block warned users to rely on official links and verify protocols via DefiLlama. The incident is part of a broader wave of malicious Google Ads that, according to security group SEAL, blocked over 356 malicious ad URLs between March 13 and March 30 — and confirmed losses from those campaigns already exceed $1.27 million.
Uniswap impersonation leads the pack
Uniswap was the most targeted platform, accounting for 41% of the malicious sites SEAL tracked during that period. Other platforms hit include Morpho Finance, PancakeSwap, Hyperliquid, CoW Swap, and 1inch. Attackers used hacked or fraudulently obtained Google advertiser accounts, then employed cloaking, fingerprinting, and nested iframe delivery to bypass Google's automated ad reviews. Fake ads often used trusted Google services like sites.google.com and docs.google.com to appear legitimate.
How the scammers bypassed Google
The infrastructure behind these campaigns is surprisingly advanced. The facts show attackers used Cloudflare Workers, Arweave-hosted payloads, traffic redirection systems, and proxy layers that could intercept Ethereum RPC requests and monitor user activity in real time. Crypto drainer families Inferno Drainer and Vanilla Drainer were the most commonly used malware, tricking users into signing malicious transactions or entering recovery seed phrases. The actual financial damage is likely significantly higher than the $1.27 million confirmed so far — unattributed losses aren't included in that figure.
Phishing hits Ledger and Robinhood users
Separate phishing campaigns targeted hardware wallet users and exchange customers. Ledger users received fraudulent emails after a data breach at Ledger's third-party e-commerce partner Global-e, requesting 24-word recovery phrases on fake websites. Meanwhile, Ripple CTO David Schwartz warned of a phishing campaign that sent fake security alerts appearing to come from Robinhood's official email system, exploiting the account creation flow. Robinhood confirmed the issue but stated no systems were breached and no funds were affected.
The scale of these coordinated attacks raises questions about how quickly platforms like Google can clamp down on malicious ad infrastructure — and whether users can trust search results when looking for a DeFi protocol. For now, the advice from b-block and SEAL is blunt: double-check every URL, and don't click the sponsored link.
