Scammers used sponsored Google search ads impersonating Uniswap to steal at least $400,000 from crypto users, according to multiple incident reports and security alerts. The campaign exploited trust in top search results, directing victims from paid ads to near-perfect clone sites that prompted malicious wallet approvals.
The surge around May 2026 showed how off-chain discovery channels can trigger rapid on-chain losses. Attackers did not need to compromise Uniswap itself, because the fraud worked by intercepting users before they reached the legitimate protocol.
Community alert:
A website impersonating Uniswap is draining funds from multiple wallets.
The scammers are currently holding at least ~$400,000.
0x37925684BA178821b4436E06e67f5dBD6cfA49Bb
0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2Please only use official links, and… pic.twitter.com/JikqftTVHY
— b-block (@b_block_oficial) May 25, 2026
Clone Sites Turn Wallet Approvals Into Drains
The attackers bought Google Ads that appeared above organic search results and routed users to counterfeit Uniswap interfaces. The fake pages replicated the visual flow of the real platform, increasing the chance that users would connect wallets without noticing the substitution.
Once connected, wallets exposed balance and token information to the malicious site. Victims were then prompted to approve transactions, often granting broad or unlimited spending rights to attacker-controlled smart contracts.
Those approvals gave scammers direct on-chain execution paths. ERC-20 approve and transferFrom functions allowed token drains, while setApprovalForAll could expose NFT holdings to similar theft.
Security reports also described “silent transfers,” where an initial signature created persistent authorization for later withdrawals. That made one mistaken approval enough to enable future asset movement, even without additional user interaction.
Two scammers have already stolen ~$400,000 from users through a phishing @Uniswap ad on Google.
It’s insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained.
This is the first result that popped out… https://t.co/Ov488s9DIl pic.twitter.com/qStRGq8qTE
— Stacy Muur (@stacy_muur) May 25, 2026
Search Ads Become a DeFi Attack Vector
The campaign combined technical approval abuse with social engineering. Address poisoning and unsolicited token airdrops created plausible context, making victims more likely to trust malicious prompts or interact with fraudulent contracts.
Some phishing pages used hidden iframes and legitimate-looking URLs to evade screening. That evasion complicated both automated detection and manual review, allowing malicious ads to remain visible long enough to capture victims.
The incident exposed a structural weakness between centralized advertising and decentralized finance. Sponsored placement can make fraudulent links appear more credible, while wallet UX still requires users to interpret complex approval dialogs under pressure.
The practical controls are straightforward but important. Bookmarking official sites, checking exact URLs, reviewing allowance sizes and revoking unnecessary approvals can reduce exposure to clone-site attacks.
Crypto-related ad creatives require stricter verification and quicker takedowns, especially when fake sites imitate major DeFi protocols.
The roughly $400,000 theft shows how quickly a misleading search result can become an irreversible on-chain loss. The next priorities are tracing stolen funds, blocking malicious ads and improving wallet-level warnings before similar campaigns scale further.
