



According to Check Point Research, scammers used Google Ads to steal hundreds of thousands of dollars worth of cryptocurrencies.

Fraudsters have placed ads at the top of Google Search that mimic popular wallet brands such as Phantom, MetaMask, and Pancake Swap to trick users into giving up their wallet passphrases and private keys. CPR estimates that over US $ 500,000 of ciphers were stolen in a matter of days.

Traditionally, phishing campaigns start with email. What seems to be a new trend is that multiple fraudulent groups are bidding on Google Ads wallet-related keywords and using Google search as an attack vector targeting victims’ crypto wallets. Each ad contains a malicious link that, when clicked, directs the victim to a phishing website and copies the brand and message of the original wallet website.

How fraud works

According to CPR, scammers place Google ads to appear first in search queries related to crypto wallets. The victim then clicks on a malicious link in Google Ads, which takes them to a phishing website that looks like the original wallet website. Fake websites try to steal a user’s passphrase if the user already has a wallet. Alternatively, provide the user with a new passphrase for the newly created wallet. Either way, the scammer can access the wallet and steal all cryptocurrencies.

What a scam looks like

For the domain “phantom.app”, CPR encountered phishing variants such as phanton.app and phantonn.app, or various extensions such as “.pw”.

CPR has found 11 compromised wallet accounts. Each account contains $ 1,000 to $ 10,000. CPR also learned that fraudsters had already withdrawn some of their money before the discovery of CPR. By cross-referencing the Reddit forums where victims have declared theft, CPR estimates that more than $ 500,000 was stolen last weekend.

“In a few days, we witnessed hundreds of thousands of dollars worth of cryptography theft,” said Oded Vanunu, Head of Product Vulnerability Investigation at Check Point Software.

“It’s estimated that over $ 500,000 of cryptocurrencies were stolen last weekend alone. A new cybercrime trend has arrived, using Google search as the primary attack vector for scammers to reach cryptocurrency wallets. I think you’re doing fishing via email in the past.

“Our observation was that each ad had a careful message and keyword selection, prominent in search results. Victim-guided phishing websites closely copied and imitated wallet-branded messages. It reflected, “says Vanunu.

“And most worrisome is that multiple groups of scammers are bidding on Google Ads keywords, which is a sign of the success of these new phishing campaigns aimed at robbing crypto wallets. It may be.

“Unfortunately, I think this is going to be a fast-growing trend in cybercrime. At this point, we strongly recommend that you double-check the URLs that the crypto community clicks on and avoid clicking on Google ads related to crypto wallets. I recommend it. “

How to protect yourself

Look up the URL of your browser. Only the extension needs to create a passphrase, and always check the URL of your browser to understand if this is an extension or a website. Look for the extension icon. The extension contains the extension icon and the URL of the Chrome extension nearby. Never give your passphrase. The user should never give the passphrase. No one should ask for it. Skip ads that will only be used again when installing a new wallet. If you’re looking for a wallet or crypto trading and swapping platform in crypto space, always look at the first website of your search, not advertising. These are because they can be fooled by attackers. Look at the URL. Last but not least, always double check the URL.

