Attackers are utilizing advertisements in Google Search to advertise the fake cryptocurrency wallets and DEX platforms to hijack users’ cryptocurrency. These advertisements advertise sites that install fake Phantom and MetaMask wallets utilized for the Solana and Ethereum, and fake decentralized exchange (DEX) platforms, such as PancakeSwap and Uniswap.

The deceptive operation is supported by cloned websites that look just like the real ones, so the visitors are convinced they are installing the authorized wallet or using the correct platform.

Hijacking Funds and Wallets

The Security investigators saw growth in relevant scamming reports over the past weekend, with different advertisements tricking victims into visiting typosquatting domains. The ads promote websites with slight, hard-to-notice differences compared to the official domains, like “phanton.app” or “phantonn.pw,” compared to the legitimate domain of “phantom.app”. 

When visiting one of these fake Phantom sites, users will be prompted to create a new wallet, including writing down a recovery phrase used to restore the wallet and a password to access. Anyone who has this information can add a wallet to their system and access any cryptocurrency stored within it.

Right after the victim finishes the setup process, they are redirected to the real Phantom wallet page, where they install the Chrome plugin. By utilizing the recovery phrase created by the attackers, they log in to the attacker’s wallet through the extension, thinking it’s theirs. Any cryptocurrency transferred into the wallet is now also accessible by the threat actors, who can transfer into other wallets under their control.

Our experts also found that the actors created some wallets under the same account, corresponding to multiple victims, and received notable amounts every couple of hours.

In a malicious advertising operation that impersonates the MetaMask, the attackers are not only trying to divert the Ethereum transactions to their wallets and target any assets the victim may already hold.

Because of this purpose, the cloned websites offer an additional “Import Wallet” function which is attempts to hijack the victim’s private key, which is all that is needed for the threat actors to take control of the wallet.

Similarly, the advertisements were also promoting fake decentralized exchanges, such as Uniswap that would prompt users to connect their wallet and enter their recovery phrase.

Like the MetaMask scam, once a user enters their recovery phrase, the threat actors would import the wallet into their systems and its stored cryptocurrency.

Protecting your cryptocurrency wallets

While these advertisements have since been taken down by Google, there is nothing to say that new ones will not be added in the future. For this reason, to keep your investments safe from these scams, you should follow these basic guidelines:

• Never enter your passphrase/private key on any site or share it with anyone. Your recovery passphrase is only required when installing a new or adding it to another device.
• Always double-check the URLs you have landed on before entering any credentials.
• When searching for wallet apps on Google Search, make sure that you are clicking on website results and not on promoted ads.
• Always take your time to evaluate any signs of fraud, and never jump into action when met with sensitive data requests.

Unluckily, if you fall for one of these scams, there is no way to recover cryptocurrency stolen in this manner. Therefore, you must pay close attention to the above guidelines to safeguard your funds and prevent them from being stolen.