In recent months, a concerning trend has emerged involving the malicious use of Google Ads, aimed explicitly at stealing cryptocurrency. Cybercriminals are exploiting these ads to drain digital wallets and harvest sensitive seed phrases from unsuspecting users searching for legitimate decentralized finance (DeFi) applications and wallet services. This alarming tactic has been notably documented by SEAL, a cybersecurity organization that has been actively monitoring and tracking these sophisticated operations.
SEAL’s tracking efforts reveal a persistent and technically advanced campaign that not only targets retail users but also aims at various crypto organizations. The complexity of these operations allows the attackers to cleverly navigate around Google’s automated security measures, making prevention increasingly challenging. In just a short span, SEAL has successfully blocked over 356 malicious ad URLs, highlighting the attackers’ relentless efforts to continuously deploy new ads and landing pages as older ones are rendered inactive.
Despite Google suspending all identified advertiser accounts based on SEAL’s reports, the situation reveals a grim reality. Affected users are still inundating the reporting system with new incidents, indicating that the ecosystem’s abuse remains widespread and not yet curtailed. The ongoing campaigns are significant, with SEAL noting a spike in activity starting in March 2026, which has continued unabated for over a year.
Attackers utilize cloaking and fingerprinting techniques to circumvent Google’s automated review systems. They specifically craft their ads to deliver malicious content only to selected victims, while others are redirected to seemingly harmless pages, such as legitimate documentation or even Wikipedia entries. This manipulation creates a façade that deceives even the most cautious online users.
A hallmark of these malicious campaigns is the exploitation of trusted Google properties—like sites.google.com and docs.google.com—for the ads’ primary frame. By doing so, these attackers present what appears to be a convincing URL, title, description, and logo, blurring the lines between legitimate projects and their deceptive counterparts. The malicious payload often lurks in secondary iframes and external infrastructures. Automated policy checks may only inspect this benign appearance, allowing the true nature of the advertisement to escape scrutiny.
Acquiring access to advertising slots is achievable through compromised advertiser accounts or verified accounts procured on underground markets. Notably, access to accounts belonging to reputable brands—like Apple—has been showcased in screenshots posted across crime forums, revealing just how deeply rooted this malicious activity has become.
SEAL’s investigations have also shed light on the emergence of various drainer-as-a-service operators who capitalize on Google Ads to execute their schemes. Among the most prevalent tools being observed are the Inferno Drainer and Vanilla Drainer, both of which utilize JavaScript to mislead users into signing malicious blockchain transactions. This trickery enables attackers to silently transfer control of assets from the victim while maintaining the illusion of normalcy from the user’s interface.
Additionally, these campaigns are not limited to asset theft; they also aim to capture seed phrases through the cloning of hardware wallet sites or the distribution of malicious browser extensions. In particular, attempts have been made to utilize links leading to the Chrome Web Store to entice users to divulge sensitive wallet information.
The advanced campaigns observed utilize a three-layer web architecture designed to avoid detection while maximizing control over victim interactions. A small host document often sits on obscure domains, diverting assets through a hardcoded configuration variable to a Cloudflare Workers instance. By rendering a near-perfect clone of well-known platforms like Uniswap, complete with assets sourced from legitimate sites, these attackers enhance their credibility and lure unsuspecting users.
In a highly automated environment, when URLs are blocked by wallet defenses, the backend operations efficiently relaunch with new advertisements and landing pages. To further complicate matters, multiple chained iframes often disguise the final malicious payload, akin to legal traffic distribution systems. This unrelenting cycle of deception has led to a significant ongoing struggle between cybersecurity entities like SEAL and the malicious actors operating in this space.
In light of these developments, SEAL recommends that cryptocurrency users and organizations refrain from relying solely on Google Search to navigate to wallet or DeFi applications. Instead, they advise utilizing trusted bookmarks and independently verified URLs to mitigate the risk of falling prey to these scams. Tools specifically developed for crypto indexing, such as DefiLlama’s search portal, can assist users in validating services effectively. Ultimately, it remains crucial that individuals never disclose sensitive information such as seed phrases, private keys, or recovery data via web forms, particularly those accessed through advertising.
With the cyber landscape evolving continuously, the threat posed by malicious Google Ads highlights the urgent need for heightened vigilance among users in the cryptocurrency domain.