A malicious campaign used paid search ads to place a counterfeit Uniswap page above the real site, resulting in compromised wallets.

How the attack worked

Attackers registered a visually identical domain that differed by a few characters and subtle Unicode substitutions in the URL.

They then purchased Google Ads, promoting the fraudulent site so it appeared above the legitimate Uniswap listing in search results.

Users who visited the fake site and connected their wallets signed an approval that granted a malicious contract control over their tokens.

Known attacker addresses

Blockchain analysis linked proceeds to two active addresses, which received funds after approvals executed on the fake interface.

• 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb — $185 K
• 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2 — $221 K

Why search ads allowed the scam

Operators exploited Unicode techniques, substituting visually similar characters and using directionality tricks to obfuscate true domain names.

Similar methods have been used previously in malicious browser extensions and other impersonation campaigns, showing recurring gaps in vetting and review.

Recommendations to avoid compromise

Avoid clicking sponsored search results for cryptocurrency projects and instead use verified bookmarks or official links from project websites.

When installing extensions, check the Extension ID against the official project documentation and review permissions carefully before granting approvals.

Always read the full URL before connecting a wallet and verify that no unexpected characters or overrides are present in the address bar.