Fake Uniswap Links Are Appearing at the Top of Google Search — $400,000 Already Gone

If you searched for Uniswap on Google today, the first result you saw was probably a scam. Attackers are running sophisticated phishing campaigns through Google’s paid advertising system — placing fake Uniswap links above the real protocol’s official website and draining the wallets of anyone who connects to them.

At least $400,000 has been stolen across two identified attacker addresses in the current campaign, according to on-chain analytics flagged by multiple security researchers on X.

The broader picture is worse. SEAL — the Security Alliance, one of DeFi’s most active threat intelligence organizations — reports the campaign has been running for over a year. In March alone, phishing ads of this type stole $1.27 million across two weeks, with SEAL blocking more than 356 malicious links during that period. Google has been aware of the problem throughout. The ads keep running.

How the Attack Works

The mechanism is not technically sophisticated — which is precisely why it keeps working. Attackers purchase Google advertising slots for high-traffic crypto search terms like “Uniswap,” “Aave,” or “MetaMask.” The ad copy and landing page are designed to be visually indistinguishable from the real protocol. Google’s ad system places the sponsored result above organic search results — meaning the fake site appears before the legitimate one for anyone who searches without already knowing the correct URL.

The landing pages themselves use several layers of obfuscation to evade detection. Cloaked pages show different content to Google’s ad reviewers than to actual visitors. Hidden iframes load malicious code after the initial page passes automated safety checks. Advanced drainer contracts are embedded to execute unauthorized transactions the moment a user connects their wallet — often before they realize anything unusual has happened.

The result is a pipeline that converts Google search traffic into stolen funds with minimal technical barrier. Any DeFi user who does not know to skip sponsored results and navigate directly to official URLs is a potential victim — and even experienced users are being caught.

Security researchers on X have been flagging individual instances of this campaign for months. The community response is increasingly frustrated. As one researcher put it:

“It’s insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained.”

The Tools That Actually Protect You

Two resources have emerged as the most practical defenses against this specific attack vector.

The first is DefiLlama’s LlamaSearch tool, built specifically to address the fake ad problem. DefiLlama responded directly to the Uniswap phishing alert on X, noting:

“Fake ads on Google are a common source of phishing attacks. We built LlamaSearch to solve exactly this. It has thousands of vetted crypto domains.”

LlamaSearch allows users to verify whether a URL matches the legitimate domain for a given protocol before connecting any wallet — a direct counter to the visual spoofing that makes phishing pages so effective.

The second is cross-referencing any link against the protocol’s official X account or verified community channels before interacting. Legitimate protocols maintain their official domain in their X bio and pinned posts. If a URL from a search result does not match the domain listed in the protocol’s official social presence, it should not be trusted.

The security community’s rule for this threat vector has been consistent for years: never click sponsored crypto ads. The top organic result is almost always safer than the top sponsored result for any major DeFi protocol — and when in doubt, type the URL directly rather than using a search engine as an intermediary.

A Problem Google Has Chosen Not to Solve

The most uncomfortable aspect of this campaign is not the attackers’ technical sophistication. It is Google’s sustained inaction in the face of documented, ongoing harm to its users.

SEAL’s data establishes that this is not a new problem. The campaign has been active for more than a year. The March figures — $1.27 million stolen, 356 malicious links blocked in two weeks — represent a known, measurable, ongoing threat that Google’s advertising systems continue to enable. Attackers have refined their evasion techniques specifically to pass Google’s ad review processes, using cloaked pages and staged content delivery to show reviewers a clean page while serving malicious code to actual users.

Google’s advertising revenue model creates a structural incentive problem here. Crypto-related ad slots are high-value placements — attackers outbid legitimate projects for premium positioning specifically because the return on investment from successful wallet drains exceeds the cost of the advertising. Google collects revenue from both legitimate and malicious advertisers, with no mechanism that claws back fees when an ad is subsequently identified as part of a phishing campaign.

Uniswap has not issued a public statement on the current campaign. The two identified attacker addresses holding the stolen funds remain active on-chain.

What This Means Going Into 2026’s Second Half

The fake Google ad campaign is categorically different from the protocol exploits and bridge hacks that have dominated DeFi security headlines in 2026. It requires no smart contract vulnerability, no private key compromise, and no sophisticated on-chain infrastructure. It requires a Google account, an advertising budget, and a convincing copy of a legitimate protocol’s frontend.

That accessibility is what makes it persistent. The $400,000 currently held by the identified attackers is a fraction of the total extracted through this technique across the year — and the campaign will continue as long as Google’s ad review processes can be circumvented and the return on investment remains positive for attackers.

The advice from the security community is simple: bookmark official protocol URLs directly, use LlamaSearch to verify any domain before connecting a wallet, and treat every sponsored Google result for a crypto protocol as suspect until proven otherwise.