Google Ads abused by hackers for major cryptocurrency heist

Avast cybersecurity
(Image credit: Avast)

A new scam campaign is abusing Google Ads to steal cryptocurrency from victims, researchers have found.

According to a new report from Check Point Research, hundreds of thousands of dollars worth of cryptocurrency was recently stolen from users' crypto wallets by scammers.

While scammers traditionally use email to launch their phishing campaigns, in this case, they placed Google Ads at the top of Google Search imitating popular crypto wallets and platforms including Phantom App, MetaMask and Pancake Swap in an attempt to lure their victims. At the same time, multiple scamming groups are now bidding for wallet-related keywords on Google Ads and are using Google Search as an attack vector to target victims' crypto wallets.

Each of the fake advertisements used in the campaign contain a malicious link that when clicked, directs victims to a phishing site which copies the brand and messaging of the original crypto wallet website. From here, the scammers trick their victims into giving up their wallet passwords in order to steal their contents.

Crypto wallets hacked

Once a victim navigates to the scammers' fake websites, they attempts to steal their passphrase if they already have a crypto wallet with the service or they provide a new passphrase for those creating a wallet for the first time. Either way though, the scammers gain access to a victim's crypto wallet and can then proceed to steal all of their cryptocurrency.

Check Point found 11 compromised wallet accounts with each of them containing between $1k to $10k in cryptocurrency. However, by cross-referencing Reddit forums where victims reported that the funds in their crypto wallets had been stolen, the firm estimates that over $500k was stolen during this past weekend alone.

Head of products vulnerabilities research at Check Point, Oded Vanunu provided further insight in a blog post on how scammers are now using Google Ads in Google Search to deliver their phishing campaigns, saying:

“In our observation, each advertisement had careful messaging and keyword selection, in order to stand out in search results. The phishing websites where victims were directed to reflected meticulous copying and imitation of wallet brand messaging. And what’s most alarming is that multiple scammer groups are bidding for keywords on Google Ads, which is likely a signal of the success of these new phishing campaigns that are geared to heist crypto wallets. Unfortunately, I expect this to become a fast-growing trend in cyber crime. I strongly urge the crypto community to double check the URLs they click on and avoid clicking on Google Ads related to crypto wallets at this time.”

To avoid falling victim to this scam and others like it, Check Point recommends that users carefully examine all of the URLs they visit in their browser, avoid crypto ads as they could be fake and never give out their passphrase to anyone online.

Following the publication of this story, a Google spokesperson reached out with the following statement on the matter:

"This behavior directly violates our policies and we immediately suspended these accounts and removed the ads. This appears to be a malicious actor looking for ways to evade our detection. We are always adjusting our enforcement mechanisms to prevent these abuses.”

Looking to protect yourself further online? Check out our roundups of the best password manager and best identity theft protection

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.