Sabato 04 Luglio 2026 21:23:28 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContatti
ItalianoEnglishArabic

Security Awareness & Social Engineering

Deceit in the Search Bar: How Weaponized Google Ads Are Bleeding Crypto Wallets Dry

Published: 22 April 2026 15:06Category: Security Awareness & Social EngineeringAuthor: CRYSTALPROXY

Subtitle: A new breed of phishing campaign is hijacking Google Ads to steal seed phrases and siphon digital assets from unsuspecting crypto users.

It starts with a simple search. A crypto investor, perhaps eager to check their DeFi wallet or access a popular trading platform, clicks the top Google ad-confident in the legitimacy of the link. But beneath the trusted branding lies a sophisticated trap, engineered by cybercriminals to bypass even the most vigilant users and drain their digital fortunes in seconds.

Fast Facts

  • Over 350 malicious Google Ads URLs targeting crypto users were blocked in just three weeks by SEAL analysts in March 2026.
  • Attackers abuse Google’s own domains (like sites.google.com and docs.google.com) to make phishing ads appear legitimate.
  • Malicious payloads are split across decentralized storage, Cloudflare Workers, and hidden scripts totaling 2.7 MB.
  • “Drainer-as-a-Service” platforms like Inferno and Vanilla Drainer automate theft and take a 20% cut of stolen funds.
  • Victims are tricked into revealing wallet seed phrases or signing fraudulent transactions, losing all assets instantly.

Anatomy of a Crypto Heist

The latest threat, uncovered by Security Alliance (SEAL), marks a chilling evolution in phishing sophistication. Instead of crude scam sites, attackers now hijack or purchase verified Google advertiser accounts, giving them access to premium ad placements. By leveraging Google-owned domains for their ad display frames, the criminals cloak their operations under the search giant’s trusted façade. To the naked eye-and even to Google’s automated review systems-these ads look flawless.

The attack’s technical backbone is a three-pronged infrastructure: an entry document on Arweave’s decentralized irys.xyz, a pixel-perfect frontend clone hosted on Cloudflare Workers, and nearly three megabytes of obfuscated JavaScript. The real sting, however, is the invisible proxy layer. By secretly rerouting all user wallet communications through their own backend, attackers gain live access to wallet addresses, balances, and every transaction-without the user’s knowledge.

To evade researchers and detection, the system employs cloaking and fingerprinting. If a user doesn’t fit the attacker’s target profile, they’re redirected to a harmless Wikipedia page. But for the unlucky, the cloned sites prompt them to enter their recovery seed phrase or sign a transaction-actions that instantly hand over control of their wallets.

Three main payloads have been observed: in-browser “drainers” that trick users into approving theft, seed-phrase stealers disguised as hardware wallet support, and malicious browser extensions silently siphoning credentials. The most notorious, such as Inferno Drainer and Vanilla Drainer, operate as commercial services, taking a mafia-style cut of every stolen coin.

Conclusion: Trust, Exploited

This campaign’s success is rooted in its exploitation of trust-trust in Google, in familiar interfaces, and in the illusion of security. As attackers continue to innovate, crypto users must learn to question even the most convincing links. In the world of digital assets, vigilance is the last, fragile line of defense.

WIKICROOK

  • Seed Phrase: A seed phrase is a set of words that acts as the master key to a crypto wallet. Anyone with it can access and control your funds.
  • Drainer: A drainer is malware or a service that steals cryptocurrency from wallets, often via phishing or malicious contracts, and is popular in cybercrime.
  • Cloaking: Cloaking is when websites or ads display different content to users and security systems, often to conceal malicious or deceptive activity.
  • Man: A Man-in-the-Middle attack occurs when a hacker secretly intercepts and possibly alters communication between two parties, posing as each to the other.
  • Fingerprinting: Fingerprinting is a tracking method that collects unique data from your device or browser to identify and follow you online, even without cookies.