Scammers used a new type of phishing campaign, which doesn’t use emails, to steal around $500,000 worth of cryptocurrency from wallets this past weekend alone. According to Check Point Research, those bad actors purchased Google Ads placements for their fraudulent websites that imitate popular wallets, such as Phantom App and MetaMask. The malicious websites have URLs close to the original’s, such as “phantonn.app” — the real service’s URL is “phantom.app” — with designs also copied from the real deal.
The scammers will then steal the victim’s passphrase if they visit the fake website and type it in. If the victim uses the fake website to create a new wallet, they will be given the attacker’s secret recovery phrase. In the event that they use the recovery phrase to log in, they’ll actually be logging into the bad actor’s account, and any fund transferred to it will go to the scammer. For MetaMask, in particular, the fake website has the option to import an existing wallet. Since doing so requires a seed phrase, the scammers will also get access to it.
As Check Point Research explains, the Phantom App and MetaMask are some of the most popular wallets for Solana and Ethereum. It cross-referenced Reddit forums to come to the conclusion that around half a million dollars were stolen last weekend alone, and it found 11 compromised wallet accounts containing crypto worth between $1,000 and $10,000. The scammers had already withdrawn funds from those wallets before CPR found them.
CPR says scamming groups are now bidding on keywords on Google Ads, which is a testament to how effective the method is. It’s now advising users to examine the wallet’s URL closely and to skip Google Ads results altogether so as not to unknowingly fall for the scam.