Over the weekend, Check Point Research (CPR) observed hundreds of thousands of dollars worth of crypto stolen from wallets by scammers. Scammers placed Google Ads at the top of Google Search to lure their victims that imitated popular wallets and platforms, such as Phantom App, MetaMask, and Pancake Swap.
Each advertisement contained a malicious link that, once clicked, directed a victim into a phishing website that copied the brand and messaging of the original wallet website. From here, the scammers tricked their victims into giving up their wallet passwords, setting the stage for wallet theft.
Traditionally, phishing campaigns originate in email. In what appears to be a new trend, multiple scamming groups are now bidding for wallet-related keywords on Google Ads, using Google Search as an attack vector to target victims’ crypto wallets.
1. Scammer places a Google Ad to appear first on a search query related to a crypto wallet
2. Victim clicks on a malicious link in Google Ad
3. Victim is navigated to a phishing website that looks identical to the original wallet website
4. The fake website attempts to steal your passphrase if you already have a wallet, or will provide you with a new passphrase for your newly created wallet
5. In both ways, the scammer gains access to your wallet and can proceed to steal all your cryptocurrency
For the domain “phantom. app”, CPR encountered phishing variants like phanton.app or phanton.app, or even different extensions like “.pw” and more.
Figure 1. Phishing Ad of Phantom Wallet
Figure 2. Malicious Google Ad imitating MetaMask
As described above, each malicious advertisement leads to a phishing website.
Figure 3. The fraudulent Phantom website next to the original Phantom website
(Fraudulent Page)
(Original Page)
CPR found 11 compromised wallet accounts, each of them containing between $1K to $10K. CPR went on to learn that the scammers had withdrawn some of the funds already before CPR’s discovery. By cross-referencing Reddit forums where victims voiced their theft, CPR estimates that over $500k was stolen over the past weekend.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software, said:
“In a matter of days, we witnessed the theft of hundreds of thousands of dollars worth of crypto. We estimate that over $500k worth of cyrpto was stolen this past weekend alone. I believe we’re at the advent of a new cybercrime trend, where scammers will use Google Search as a primary attack vector to reach crypto wallets instead of traditionally phishing through email. In our observation, each advertisement had careful messaging and keyword selection to stand out in search results—the phishing websites where victims were directed to reflected meticulous copying and imitation of wallet brand messaging. And what’s most alarming is that multiple scammer groups are bidding for keywords on Google Ads, which is likely a signal of the success of these new phishing campaigns that are geared to heist crypto wallets. Unfortunately, I expect this to become a fast-growing trend in cybercrime. I strongly urge the crypto community to double-check the URLs they click on and avoid clicking on Google Ads related to crypto wallets at this time.”
1. Examine the browser URL. Only the extension should create the passphrase, and to understand if this is an extension or a website, always look at the browser URL.
2. Look for the extension icon. The extension will contain an extension icon near it and a chrome-extension URL:
3. Never give out your passphrase. Users should never give out their passphrase. No one should ever ask for that. and it will be used again only when installing a new wallet
4. Skip the ads. If you are looking for wallets or crypto trading and swapping platforms in the crypto space, always look at the first website in your search and not in the ad, as these may mislead you to getting scammed by the attackers.
5. Take a look at the URL. Last but not least – always double-check the URLs!
