article featured image


Crypto-criminals are investing in Google Ads to target victims with bogus wallets that steal credentials and deplete balances. So far, it appears that the cyber-crooks have stolen more than $500,000 and counting.

What Happened?

According to a recent Check Point Research investigation, the adverts are linking to reportedly download prominent crypto-wallets Phantom and MetaMask.

According to the research, attackers began by using Google Ads to look for possible victims. According to the researchers at Check Point, clicking on the malicious Google Ad redirects the user to a malicious site that has been doctored to seem like the Phantom (or occasionally MetaMask) wallet site.

Over the past weekend, Check Point Research encountered hundreds of incidents in which crypto-investors lost their money while trying to download and install well known cryptowallets or change their currencies on crypto-swap platforms like PancakeSwap or Uniswap.


The target is then asked to register a new account with a “Secret Recovery Phrase.” They are also requested to create a password for the alleged account (which is harvested by the attackers). Following that, visitors are given a keyboard shortcut to open the wallet and then led to the authentic Phantom site, according to Check Point.

Users may get the Phantom wallet Google Chrome extension from the authorized website.

Now if the user adds the Chrome wallet tab to their browser and inserts the newly created recovery phrase from the attacker, they actually log in to the attacker’s wallet instead of creating a new one. This means if they transfer any funds, the attacker will get that immediately.


Crypto-criminals have also targeted MetaMask wallets by purchasing Google Ads that directed consumers to a fraudulent site that resembled the official MetaMask site.

In a matter of days, we witnessed the theft of hundreds of thousands of dollars worth of crypto. We estimate that over $500k worth of cyrpto was stolen this past weekend alone. I believe we’re at the advent of a new cyber crime trend, where scammers will use Google Search as a primary attack vector to reach crypto wallets, instead of traditionally phishing through email. In our observation, each advertisement had careful messaging and keyword selection, in order to stand out in search results. The phishing websites where victims were directed to reflected meticulous copying and imitation of wallet brand messaging. And what’s most alarming is that multiple scammer groups are bidding for keywords on Google Ads, which is likely a signal of the success of these new phishing campaigns that are geared to heist crypto wallets. Unfortunately, I expect this to become a fast-growing trend in cyber crime. I strongly urge the crypto community to double check the URLs they click on and avoid clicking on Google Ads related to crypto wallets at this time.


If you liked this article follow us on LinkedInTwitterYouTubeFacebookand Instagram to keep up to date with everything cybersecurity.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo