Google Ads Exploited in $59 Million Crypto Theft

Scammers have exploited a new method to siphon off cryptocurrency, leveraging a wallet-draining service named “MS Drainer.” In a report dated December 21, Scam Sniffer, a blockchain security firm, revealed that over the past nine months, approximately $59 million in crypto was stolen using this service. The report, published on X (formerly Twitter), highlighted how scammers used Google Ads to deceive victims with counterfeit versions of popular crypto sites like DefiLlama, Lido, Orbiter Finance, Stargate, Radiant, and Zapper.

MS Drainer operates as a blockchain protocol that enables scammers to illicitly transfer cryptocurrency from victims’ wallets by manipulating the token approval process. The creators of this software typically require a share of the stolen funds, enforcing this payment through smart contracts that are notoriously difficult to circumvent.

Scam Sniffer first encountered MS Drainer in March, with the assistance of the SlowMist security platform team in their investigation. Further insights were provided in June by on-chain investigator ZachXBT, who linked MS Drainer to a phishing scam known as “Ordinal Bubbles.” ZachXBT discovered nine phishing ads on Google, with 60% of these employing the MS Drainer software.

Google has systems in place to audit and prevent phishing scam ads. However, the Scam Sniffer report indicated that the scammers employed regional targeting and page-switching techniques to evade these audits, complicating Google’s review process. This strategy allowed the deceptive ads to slip past Google’s defenses. The scammers also used web redirects, misleading users into believing they were accessing legitimate websites.

Scam Sniffer’s findings include the identification of 10,072 fraudulent websites using MS Drainer. According to a Dune Analytics tracking dashboard, this scheme has resulted in the theft of $58.98 million in cryptocurrency from over 63,000 victims.