​Threat actors are using advertisements in Google Search to promote fake cryptocurrency wallets and DEX platforms to steal user’s cryptocurrency.

These advertisements promote sites that install fake Phantom and MetaMask wallets used for Solana and Ethereum, and fake decentralized exchange (DEX) platforms, such as PancakeSwap and Uniswap.

The deceptive operation is supported by cloned websites that look just like the real ones, so the visitors are convinced they are installing the legitimate wallet or using the correct platform.

Stealing funds and wallets

Researchers at CheckPoint saw a surge in relevant scamming reports over the past weekend, with numerous ads tricking victims into visiting various typosquatted domains.

The ads promote websites with slight, hard-to-notice differences compared to the official domains, like “phanton.app” or “phantonn.pw,” compared to the legitimate domain of “phantom.app”.

Phantom Google Ad at the top of the search results
Phantom Google Ad at the top of the search results
Source: CheckPoint

When visiting one of these fake Phantom sites, users will be prompted to create a new wallet, including writing down a recovery phrase used to restore the wallet and a password to access.

Anyone who has this information can add a wallet to their own system and access any cryptocurrency stored within it.

Recovery phrase shared with the victim
Recovery phrase shared with the victim.
Source: CheckPoint

Once the victim finishes the setup process, they are redirected to the real Phantom wallet page, where they install the official…

Read more…