Image credit: Unsplash
Scammers have stolen at least $400,000 through fake Google advertisements impersonating Uniswap, showing again how sponsored search results are being used to drain crypto wallets.
A phishing campaign using a cloned Uniswap site had already drained multiple wallets by May 26.
Cloned Uniswap Site Copied Real Swap Interface
The fake site closely copied Uniswap’s interface and appeared in sponsored Google search results above legitimate links, according to reporting that cited screenshots shared by Web3 marketer Stacy Muur.
That placement made the scam especially dangerous. Users searching for Uniswap could click the first paid result, connect a wallet and believe they were interacting with the real decentralized exchange.
Similar Uniswap phishing attacks have relied on malicious approval flows. Instead of simply signing a normal swap, users are tricked into granting broad token-transfer permissions to a malicious contract. Once that approval is signed, attackers can move assets without needing the victim’s private key.
SEAL Says Google Ad Phishing Stole $1.27M
The Uniswap campaign fits a wider pattern of crypto phishing delivered through paid search ads. Security Alliance, or SEAL, previously warned of a significant rise in Google Search ad phishing during March. It estimated that such attacks stole about $1.27 million between March 13 and March 30 alone.
SEAL said attackers either buy ads directly or hijack legitimate advertiser accounts. They then use cloned sites, hidden iframes and secondary payloads to evade automated detection. That makes sponsored search results a recurring entry point for wallet-drainer campaigns.
356 Malicious Ad Links Were Locked
SEAL blocked more than 356 malicious ad links over the past year. That figure shows the Uniswap incident is not isolated. It is part of a persistent campaign targeting DeFi users who rely on search engines to reach crypto applications.
The attack flow is simple but effective. A user clicks a sponsored result, lands on a cloned protocol interface, connects a wallet and signs what looks like a routine transaction. In reality, the approval can give a malicious contract permission to drain assets from the wallet.
DeFi Users Warned to Avoid Sponsored Links
The incident reinforces the security advice already circulating among DeFi teams: avoid sponsored search results for crypto apps, use bookmarked protocol links and verify domains before connecting a wallet.
Users should also review wallet approval prompts carefully before signing, especially when a transaction requests broad token-transfer permissions. The fake Uniswap campaign shows that even experienced users can lose funds quickly when a cloned interface is paired with a malicious Google ad and an unlimited token approval request.
