Scammers Drain $400K+ via Fake Uniswap Ads on Google Search

Fraudulent advertisements impersonating Uniswap have stolen at least $400,000 from crypto users through Google Search, according to security researchers tracking the campaign. The scam works by placing malicious ads at the top of search results that direct unsuspecting users to fake Uniswap interfaces, where attackers harvest wallet credentials and drain funds.

Security firm SEAL identified and blocked 356 malicious links tied to the phishing operation. The attack represents part of a broader wave of search-based scams targeting DeFi users. In March 2026 alone, similar phishing campaigns across multiple protocols drained $1.27 million total, suggesting attackers are scaling these operations.

The mechanics are straightforward. A user searches for "Uniswap" or "Uniswap swap" on Google. A paid ad appears at the top of results, often with a URL that closely mimics the legitimate uniswap.org domain. Clicking the ad takes the victim to a spoofed site that looks identical to the real Uniswap interface. Once users connect their wallet to execute a trade, the attackers capture their private keys or seed phrases. Funds are then transferred out in minutes.

These attacks are particularly dangerous because Google Search ads appear above organic results, and many users assume top-ranked links are legitimate. The scammers are willing to pay for premium ad placement, suggesting the returns justify the advertising costs. A $400,000 haul makes the ad spend worthwhile even if Google charges thousands per click.

Google maintains policies prohibiting cryptocurrency-related advertisements, yet these malicious ads continue to slip through. The company's ad verification systems appear inadequate for catching sophisticated phishing campaigns that use legitimate-looking landing pages and near-identical domain names. Google did not immediately respond to requests for comment on the campaign or its detection mechanisms.

Phishing scams targeting DeFi protocols through search engines are not new. Similar attacks have targeted MetaMask, 1inch, and other major platforms. What has changed is scale and sophistication. Attackers are now running coordinated campaigns across multiple protocols, suggesting organized groups with resources to test and refine their tactics. The $1.27 million in March losses indicates these operations have moved beyond opportunistic scammers.

Uniswap itself bears no direct responsibility for the attacks, since the protocol is non-custodial and decentralized. There is no central entity that can disable malicious ads or prevent users from visiting phishing sites. The responsibility falls on Google to enforce its own policies, on users to verify URLs before connecting wallets, and on security firms to identify and block malicious infrastructure.

The incident exposes a structural vulnerability in how users discover DeFi protocols. Most crypto users rely on Google Search to find the platforms they need. If that first click can be hijacked, user security depends entirely on their ability to spot a fake URL. For less technical users, this is a losing proposition.

Some argue Google cannot realistically police every malicious ad targeting crypto users, especially when scammers continuously create new domains and adjust their tactics. Phishing attacks also target traditional financial institutions and major tech companies at scale, making this not unique to DeFi.

The $400,000 loss, while painful for victims, represents a small fraction of Uniswap's daily trading volume, which regularly exceeds $1 billion. The attack does not indicate a weakness in the protocol itself, but rather a weakness in how users access it.

For DeFi users, the takeaway is clear: bookmark legitimate protocol URLs, use hardware wallets when possible, and never connect a wallet without triple-checking the domain. For Google and other ad platforms, the pressure is mounting to implement stricter verification for crypto-related ads, even if that means accepting lower ad revenue from the space.