Those who are new to cryptocurrency may not totally understand how every aspect of virtual currency works. Many will go to Google and other search engines to search for things like “What is cryptocurrency?” “How to buy Bitcoin” and “What is a crypto exchange?” Knowing that not everyone is keen on how it works, scammers have taken advantage of crypto newbies through a phishing scam where those involved lost over $500,000, according to research by Check Point Research.
What happened? “Attacker buys Google Ads in response to searches for popular crypto wallets (that’s the software used to store cryptocurrency, NFTs, and the like),” said James Vincent for The Verge.
From there, crypto-novices who search for related queries are served a Google Ad results which actually takes them to a phishing site instead of a legitimate URL. “Researchers from CPR spotted multiple phishing websites that looked like the original website because the scammers copied its design. For the domain “phantom.app”, the Phantom wallet’s official site, we encountered phishing variants like phanton.app or phantonn.app, or even different extensions like “.pw” and more,” wrote CPR researchers Dikla Barda, Roman Zaikin and Oded Vanunu.
After that, the searcher will be instructed to enter their credentials (which the scammers then steal and transfer funds to their own wallets) or they receive a recovery password that logs them into the scammer’s wallet — so any added funds will go into that wallet instead of their own.
Google’s cryptocurrency ad policies. In June, Google Ads updated its cryptocurrency ad policies to be more strenuous and require certification, Search Engine Land reported. “Google has recently gone back and forth with policies around ads for crypto exchanges and wallets. In early 2018, Google originally banned crypto advertising, but rolled back that ban later in the same year.” The June 2021 policy update included the following measures and required compliance by August 2021:
Financial advertisers will need to check the following boxes to be able to advertise on Google Ads:
- Be duly registered with
- (a) FinCEN as a Money Services Business and with at least one state as a money transmitter; or
- (b) a federal or state-chartered bank entity.
- Comply with relevant legal requirements, including any local legal requirements, whether at a state or federal level.
- Ensure their ads and landing pages comply with all Google Ads policies
“Advertisers must also be certified with Google,” says the current Google documentation regarding crypto exchanges.
We’ve reached out to Google for comment, but had not received one by publish time. We will add the comment upon receiving it.
Why we care. Not only is this a huge loss for those who may not be crypto experts, but it dilutes the legitimacy and work of those ad specialists who went through the hoops to follow Google Ads’ cryptocurrency policies. The phishing ads also potentially instill distrust in searchers for ads results.