Culture

Not even Google Ads are safe from cryptocurrency scams

Addict young man have meeting with dealer at night to buy dose of white powder cocaine.

$500K

Estimated amount stolen through the Google Ads crypto scam.

Check Point Research

urbazon/E+/Getty Images

When it comes to the still-burgeoning world of cryptocurrency, scams lie around every corner. Even the parts of the internet that seem safest have found themselves home to crypto scammers. But, uh, this one still manages to be shocking: Someone found a way to use Google Ads to carry out their crypto-based cons.

Scammers managed to steal more than $500,000 in cryptocurrency by placing ads for fake digital wallets, according to Check Point Research. The scammers placed ads for their fake wallets under the names of real wallets, like MetaMask and Phantom, thereby tricking unsuspecting users into downloading the spoofs.

A Google Ad for the fake Phantom wallet.Check Point Research

The misleading ads probably would’ve been enough to trap a handful of crypto newbies, but these scammers really went all-out. The ads linked out to websites that looked eerily similar to the real deal, making it difficult to understand they’d been scammed until it was already too late.

Classic phishing, really — This scam is essentially one we’ve been dealing with since the creation of the internet: phishing. Usually, this process would take place via email or a similar messaging service, but the process here is the same. Trick unsuspecting people into giving you their personal information by pretending to be a legitimate entity.

Check Point Research

In this case, scammers created phishing websites that appear almost identical to the real deal, right down to the branding. These sites then asked victims for the passphrase to their crypto wallet — a red flag, if you’re familiar with how these wallets work, but it might just seem like a genuine question for setting up a wallet to a newcomer.

Check Point Research observed first-hand 11 crypto wallets compromised by the scheme, each containing between $1,000 and $10,000 in cryptocurrency. The full extent of the stolen money — more than $500,000 — was only discovered by cross-referencing these observations with Reddit threads where victims spoke up.

Stay vigilant — Check Point Research concludes its public release about this scam with a few tips for spotting similar ones in the future. First and foremost is to never type your passphrase into a website. A passphrase is a key to recovering your crypto wallet — handing it out is even more dangerous than giving someone an account password.

As with all phishing scams, the best line of defense is to double-check the URL you’ve been sent to. In the case of crypto wallets, in particular, Check Point notes that wallets like MetaMask and Phantom are extensions, not websites. If you’re being asked to input sensitive information like your passphrase into a website rather than an extension, there’s a good chance it’s a scam.

As much as we’d like to blame Google for this mess, cryptocurrency phishing scams are a new breed. They’re not easy to spot from afar. We can only hope Google’s crypto scam detection improves as organizations like Check Point release information about them.

When it comes to cryptocurrency, though, even the most legitimate of companies can end up helping scammers achieve their goals. Enter at your own risk.