Google Ads for Faux Cryptowallets Net Scammers At Least $500K

Malicious Phantom, MetaMask cryptowallets are on the prowl to drain victim funds. 

Crypto-thieves are buying Google Ads to target victims with fake wallets, which steal credentials and drain balances. So far, it looks like the cybercrooks have made off with more than $500,000 and counting.

The ads serve links to purportedly download popular cryptowallets Phantom and MetaMask, according to a new report from Check Point Research.

“Over the past weekend, Check Point Research encountered hundreds of incidents in which crypto-investors lost their money while trying to download and install well known cryptowallets or change their currencies on crypto-swap platforms like PancakeSwap or Uniswap,” Check Point analysts said.

Attackers started by putting Google Ads to work searching for potential victims, the report explained. Clicking on the malicious Google Ad takes the user to a malicious site doctored to look like the Phantom (or sometimes MetaMask) wallet site, Check Point noted.

Phantom & MetaMask

There, the target is prompted to create a new account using a “Secret Recovery Phrase.” They’re also prompted to set a password for the purported account (which is harvested by the attackers). After that, users are given a keyboard shortcut for opening the wallet and then redirected to the legitimate Phantom site, Check Point explained.

The legitimate site offers users the Phantom wallet Google Chrome extension.

“Now if the user adds the Chrome wallet tab to their browser and inserts the newly created recovery phrase from the attacker, they actually log in to the attacker’s wallet instead of creating a new one,” the report said. “This means if they transfer any funds, the attacker will get that immediately.”

The scam was uncovered as complaints from duped victims started to emerge on Reddit and Twitter, Check Point noted.

“Hey I just installed the phantom wallet and somehow I ended up downloading the scam,” a user with the screen name “Spookster510” wrote. “I am somewhat new to wallet and thought at first it was like a demo number about of Sol on the wallet to show what it looks like but then realized it was someone else’s wallet I was in.”

Crypto-criminals also targeted MetaMask wallets, buying Google Ads that took victims to a malicious site that looked like the legitimate MetaMask site.

“In this case, the attacker also tries to steal the user’s private key to steal their wallet if they have one, or give them a phrase that enables them to steal the funds upon transfer,” the report added.

Scammers Using Google to Spot Victims

Fanatic interest in all things crypto in some corners of the internet aside, it should be noted that Google Ads are increasingly being abused to find targets for many kinds of fraud.

For instance, underscoring how easy it is to leverage Google Ads for criminal enterprise, a teenager was recently arrested after he bought enough Google Ads to rank his malicious link above its legitimate gift card site counterpart. He managed to steal $9,000 before being shut down.

Google continues to pledge increased resources to rooting out abuse on its platform. Google didn’t respond to Threatpost’s request for comment on this particular scam, but told the publication in late October that “our goal is to create a safe and trustworthy experience for users. We take matters of ad fraud very seriously and continue to vigorously enforce our policies and be nimble when faced with new threats.”

Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for “An Intro to OSquery and CloudQuery,” a LIVE, interactive conversation with Eric Kaiser, Uptycs’ senior security engineer, about how this open-source tool can help tame security across your organization’s entire campus.

Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at






Suggested articles