News

How Crypto Scammers Stole $4M Using Google Ads

Valentine Adegboyegun

Key Insights

  • Crypto users have been scammed of $4M worth of funds by criminals.
  • These thefts happened due to phishing sites advertised on Google ads.
  • Many scammers have figured out ways to bypass Google's ad review process.

The most recent news in the crypto crime space is that users have been scammed of $4M in funds by criminals. These thefts occurred as a result of phishing sites advertised on Google ads.

How the Scams Happened

These fake websites mimicked genuine crypto platforms to fool unfamiliar users into entering their login details, private keys, or other personal credentials.

As soon as these criminals got hold of the information, they would access the users' crypto wallets and steal their funds. These thefts have become more rampant in the crypto space as of late.

In March, scammers enjoyed a 276% gain from their illicit activities thanks to a high number of their victims and the funds they used to promote their scheming advertisements. They have infiltrated numerous DeFi protocols, brands, and websites such as Lido, DefiLlama, Orbiter Finance, Radiant, Stargate, Zapper, etc.

These criminals often target DeFi users who do not quickly realize that they have clicked on harmful links due to minor modifications to the official URLs. A web3 anti-scam service provider, ScamSniffer, recently reported these occurrences. 

It said,

"When you open a malicious advertisement from Zapper, you can see that it attempts to obtain authorization of my $SUDO by using a permit signature. Currently, many wallets do not have clear risk warnings for this type of signature, and ordinary users may think it is a normal login signature and sign it without thinking twice."

How the Scammers Did It?

ScamSniffer revealed that these scammers utilize two major techniques to evade Google's ad review process. These moves enable them to mislead Google's ad review process thereby causing major harm to users.

Parameter Distinction

The fake websites used the "gclid" parameter — which is normally utilized by Google ads to track clicks — to show different pages based on user sources. This enables them to show a typical web page during the review phase, successfully bypassing Google's ad review process. 

Debugging Prevention

A couple of these malicious ads use anti-debugging steps that divert users to a normal website when Developer Tools are enabled, and to a malicious one when accessed directly. This move helps avoid some of Google's ad machine reviews.

An analysis of the accounts of affected individuals showed that an estimated $4.16 million in crypto had been swindled from more than 3,000 victims. Further anti-scam measures showed that the funds were moved to different crypto exchanges like Binance, KuCoin, Simpleswap, and Tornado Cash. 

It was alleged that scammers spent up to $15,000 advertising their websites, getting a 40% conversion rate from 7,500 users clicking on the ads, at an estimated ROI of 276%. The metadata analysis of these phishing sites that were advertised disclosed to be from mainly Ukraine and Canada. 

Finally, ScamSniffer advised crypto users so that a repeat of such incidents wouldn't occur.

"You should exercise caution when using search engines and actively block content in the advertising area."

They also had words for Google ads. 

"It's crucial for Google ads to strengthen its review process for Web3 malicious ads to better protect users."

ScamSniffer recommended the integration of a Web3-focused malicious website detection engine such as theirs. They also mentioned the continuous monitoring of landing pages throughout the ad placement lifecycle to quickly identify any form of deception in a system.

Disclaimer: Voice of Crypto aims to deliver accurate and up-to-date information but will not be responsible for any missing facts or inaccurate information. Cryptocurrencies are highly volatile financial assets, so research and make your own financial decisions.