encryption world is full of dangers, and scammers are always waiting for beginners to get on the road and old birds to fail. A recent report by security agency Check Point Research highlights a new form of cyberattack: using Google ads to direct users to fake cryptocurrency wallets. In its report, CPR said that in the past few days, at least about $500,000 has been seen sucked away by these methods.
Here is how this scam works: The attacker buys Google ads in response to searches for popular cryptocurrency wallets (i.e. software used to store cryptocurrency, NFT, etc.). CPR said it noticed scams targeting Phantom and MetaMask wallets, which are the most popular wallets in the Solana and Ethereum ecosystems.
When an unsuspecting user searches for "Phantom" on Google, Google ad results (appearing above the actual search results) lead them to a website that looks like a real phishing. Then, one of two things happens: either the user enters their certificates, and the attacker keeps those certificates. Or, even more strangely, if they try to create a new wallet, they will be told to enter a recovery password, which is actually logging them into a wallet controlled by the attacker, rather than their own. This means that if they transfer any funds, the attacker will get the funds immediately.
Attackers use fake URLs to trick users into thinking they are logging into their crypto wallets, and like other phishing scams, these fake websites are designed to look as similar as real websites.
Like the more common phishing scams, attackers rely on making their fake login pages look as real as possible. CPR pointed out that they have observed attackers using fake URLs to trick users, such as directing them to phanton.app or phantonn.app, rather than the correct phantom.app. The team also saw similar phishing scams being used to guide users to fake cryptocurrency exchanges, including PancakeSwap and UniSwap. Researchers at
CPR said they began to notice these scams after seeing cryptocurrency users complain about their losses on Reddit and other forums, with estimated "at least $500,000" being stolen in the past few days.
"I believe we are in the process of a new cybercrime trend, where scammers will use search ads as the primary attack vector to reach cryptocurrency wallets instead of traditional phishing through email," CPR's Oded Vanunu said in a press statement. "The phishing websites to which the victims were directed reflect a meticulous copy and imitation of wallet brand information. And most shockingly, more fraud gangs follow suit to bid for keywords on Google ads, which is likely a sign of success in these new phishing campaigns targeting cryptocurrency wallets."
