Executive Summary

GoPlus has issued a warning regarding a widespread phishing scam where the top sponsored result for "Uniswap" on Google Search directs users to a fraudulent website. This incident has led to confirmed asset losses for users, intensifying scrutiny on the security practices within the Web3 ecosystem and the vetting processes of online advertising platforms.

The Event in Detail

The phishing campaign leverages Google Ads to promote counterfeit websites that are near-perfect replicas of the official Uniswap interface. Users searching for "Uniswap" are directed to these malicious sites, often appearing as the prominent top result. Upon interacting with the fake interface, users are prompted to sign what appears to be a standard transaction. However, these are malicious transaction requests, often disguised as "batch transaction approval" or "batch settlement" requests, which unknowingly grant attackers permission to transfer assets in bulk from the victim's wallet. Attackers do not require private keys; merely signing such a malicious smart contract is sufficient.

Incidents of substantial financial loss have been documented. In August 2025, a user reportedly lost approximately $1 million in tokens and NFTs after signing a malicious transaction disguised as a Uniswap swap. Another DeFi user lost over $1.23 million in Uniswap V3 NFTs in July 2025 following a similar pattern. In a separate, larger incident, a long-active DeFi trader lost roughly $6.5 million in September 2025, including over $4 million in stETH and significant amounts of aEthWBTC, by unknowingly signing multiple phishing "permit" signatures. Attackers frequently utilize Punycode URLs to make fraudulent sites appear almost identical to legitimate ones, further deceiving users.

Market Implications

The prevalence of such sophisticated phishing attacks using mainstream advertising platforms like Google Ads introduces significant security risks to the broader Web3 ecosystem and erodes user trust. The ability of malicious actors to exploit top search rankings suggests a lapse in the vetting processes of ad providers, potentially leading to increased caution among new and existing users. This trend could prompt calls for more stringent advertising policies for crypto-related terms and encourage DeFi protocols to enhance their security advisories, direct access methods, and user education initiatives. The attacks demonstrate that even experienced DeFi users are vulnerable, as these scams exploit human behavior and inattention rather than solely technical vulnerabilities in smart contracts.

Expert Commentary

GoPlus highlighted the initial discovery of the fake Uniswap site. Cybersecurity experts from ScamSniffer have observed the widespread impact, noting that phishing attacks in 2024 resulted in an estimated $500 million in losses across over 330,000 addresses. Ankit Patel, a cybersecurity analyst at CyberShield India, noted that "attackers have cleverly crafted these ads, sometimes even using the branding and logos of well-known platforms to confuse users." He further emphasized that "Once clicked, these ads lead to sites that are nearly identical to the real ones, but are designed to steal sensitive information like private keys and wallet addresses."

Security platforms and experts offer critical advice for users: always verify URLs, especially for official sites which should use HTTPS and have matching domain names. Users are encouraged to utilize ad blockers, bookmark trusted sites, enable two-factor authentication (2FA), and regularly review and revoke unused wallet approvals. Tools like ScamSniffer also recommend using transaction simulation tools to preview the outcome of a transaction before signing, warning against any simulations that show assets transferring to unknown addresses.

Broader Context

The incident with the fake Uniswap site is part of a larger trend of escalating crypto phishing attacks. In 2024, an estimated $500 million was stolen across more than 330,000 addresses, marking a 67% increase from 2023. The first quarter of 2024 was particularly damaging, accounting for $187.2 million in losses from 175,000 victims. The evolving landscape of wallet drainers has also seen consolidation, such as Angel acquiring Inferno. This highlights the increasing sophistication of malicious schemes and the persistent challenge for both users and platforms in securing digital assets against highly adaptive attackers.