A phishing campaign that impersonates Uniswap through sponsored ads on Google Search caused losses of more than $400,000, according to alerts released on May 25, 2026 by analysts on-chain. The scheme used a copy of the official site to trick users into obtaining permissions that allowed funds to be drained from their wallets.
The alert was initially spread by researcher @b-blockwho identified two wallets associated with the attackers that accumulated the stolen funds. The addresses indicated were 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb and 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2, with balances close to 179,000 and 204,000 dollars respectively between ether and USDC.
Among the victims appears the operator known as @ika_xbtwho He claimed to have lost his entire portfolio —valued at more than $400,000— after entering a fake version of Uniswap promoted through Google advertising.
It is worth noting that the attack It did not exploit protocol vulnerabilities or smart contract flaws. The mechanism was much simpler: the attackers bought ads associated with the word “Uniswap”, managing to position a cloned page above the legitimate link.
Once inside, The interface showed a design practically identical to the original. The user connected their wallet, started an apparently normal operation and ended up signing malicious spending permissions. After that approval, the contract gained sufficient access to transfer assets from the compromised wallet.
This model, known as malvertisinghas become one of the main fraud vectors for decentralized finance users. The tactic combines paid advertising, social engineering and excessive permissions, avoiding the need to breach the technical infrastructure of the protocols.
The situation also reactivated criticism of Google and other search platforms. The founder of Uniswap, Hayden Adamsquestioned again the presence of fraudulent advertisements associated with the protocol and He criticized the lack of stronger measures to stop this type of campaigns.
For now, researchers on-chain and monitoring platforms continue to track the movements of the identified wallets, while the community recommends verify links using tools like DeFiLlamause saved bookmarks, and carefully review each permission request before signing.
The SEAL security organization (Security Alliance) warned of a sustained increase in phishing campaigns associated with search engine ads since March 2026. According to its records, between March 13 and 30 They blocked more than 356 malicious links linked to this type of operations, while reported losses during that brief period reached approximately $1.27 million.
Certainly, the episode adds to a series of recent alerts about phishing in the cryptocurrency ecosystem. In early 2026, CriptoNoticias reported campaigns targeting MetaMask users that simulated false authentication processes to steal seed phrases.
On the other hand, reports from Scam Sniffer, a security firm, showed that although phishing losses on Ethereum fell to around $84 million in 2025, more sophisticated vectors emerged after the incorporation of EIP-7702 in Pectra, allowing multiple malicious actions to be hidden within a single signature.
Beyond being one or several specific cases, the episode shows a relevant change in the security landscape: the risk is no longer concentrated solely in technical failures or exploits, but in the access layer. Search engines, ads and cloned pages are becoming priority targets for attackerswhich could accelerate new verification measures in wallets, automatic filters against fraudulent domains and even greater regulatory pressure on the advertising of financial services related to cryptocurrencies.