Check Point Research observed hundreds of thousands of dollars worth of crypto stolen from wallets by scammers. To lure their victims, scammers placed Google Ads at the top of Google Search that imitated popular wallets and platforms, such as Phantom App, MetaMask and Pancake Swap.
Advertisement contained a malicious link that, once clicked, directed a victim into a phishing website that copied the brand and messaging of the original wallet website. Scammers tricked their victims into giving up their wallet passwords, setting the stage for wallet theft.
A new trend emerged where, multiple scamming groups are now bidding for wallet-related keywords on Google Ads, using Google Search as an attack vector to target victims’ crypto wallets.
- Scammer places a Google Ad to appear first on a search query related to a crypto wallet
- Victim clicks on malicious link in Google Ad
- Victim is navigated to a phishing website that looks identical to the original wallet website
- The fake website attempts to steal your passphrase, if you already have a wallet; or will provide you with a new passphrase for your newly created wallet
- Scammer gains access to your wallet and can proceed to steal cryptocurrencies
For the domain “phantom.app”, CPR encountered phishing variants like phanton.app or phantonn.app, or even different extensions like “.pw” and more.
In total, 11 compromised wallet accounts found, each of them containing between $1K to $10K. CPR went onto learn that the scammers withdrew some of the funds already before CPR’s discovery. By cross-referencing Reddit forums where victims voiced their theft, CPR estimates that over $500k was stolen over the past weekend.
- Examine the browser URL.
- Look for the extension icon.
- Never give out your passphrase.
- Skip the ads.
- Take a look at the URL.