Phishing ads for Lido, DefiLlama and Zapper led to theft of over $4 million

Unknown attackers launched phishing ads for cryptocurrency projects in Google search, through which похитили $4,16 млн. This drew the attention of a Twitter user going by the handle Scam Sniffer.

1/ ? A recent surge in phishing scams via Google search ads has led to users losing approximately $4 million.
ScamSniffer has investigated multiple cases where users clicked on malicious ads and were directed to fraudulent websites.#PhishingScams #GoogleAds pic.twitter.com/vuKCgSuFnV

— Scam Sniffer (@realScamSniffer) April 27, 2023

According to Scam Sniffer, attackers mask malicious links as legitimate sites of various projects such as Lido, DefiLlama, Zapper, Stargate, Orbiter Finance and Radiant.

2/ ?️‍♂️ Investigation into the keywords used by victims has uncovered numerous malicious ads at the forefront of search results.
Most users, unaware of the deceptive nature of search ads, click on the first available option, leading them to malicious websites. #Cybersecurity pic.twitter.com/kKtomcn3SB

— Scam Sniffer (@realScamSniffer) April 27, 2023

After following the link, the site requests a wallet digital signature allegedly for authorization. In reality, this gives attackers access to the user’s funds.

«Many wallets lack clear warnings about the risks of this type of signing. Users may think it is a routine login procedure and sign it,» explains Scam Sniffer.

Analysts identified advertisers — ROMUS-POLIGRAF LLC (Ukraine) and TRACY ANN MCLEISH (Canada). The total value of the ads they ran is about $15,000.

The attackers’ activity peaked last month. By the time of writing, nearly 3,200 users had fallen victim to fraudulent sites, with losses totaling $4.16 million.

Part of the proceeds from the largest addresses were sent to SimpleSwap and the Tornado Cash mixer. Direct transfers to KuCoin, Binance and other exchanges were also recorded.

According to Scam Sniffer, the attackers managed to bypass Google’s ad review by exploiting differences in domain-name parameters and by preventing page-cache debugging.

In October 2022, reported that Google search results promoted crypto-targeted phishing sites, according to Binance CEO Changpeng Zhao.

In February, hackers stole $300,000 through a phishing site linked to a well-known Ethereum conference.