Share
BREAKING - WALLET DRAINER

Uniswap Google Ads Scam: AngelFerno drainer stole $400K from one trader

In late May 2026, a single trader lost roughly $400,000 in life savings after clicking the top sponsored Google result for "uniswap." The ad outranked the real uniswap.org link, the landing page looked identical, and the only "click" needed to lose everything was a wallet signature.

SafeBrowz Threat Research Security ResearchMay 30, 202610 min read

Quick Take

A sponsored Google Ads link impersonating Uniswap drained roughly $400,000 from a single trader in late May 2026. The fake URL used a Cyrillic lookalike of uniswap.org and the connected wallet was emptied seconds after signing a Permit2 token approval. The drainer kit is called AngelFerno, sold as a service to affiliates, and it now sits inside a wider 2026 surge in signature phishing that Scam Sniffer tracked at $6.27 million stolen in Q1 alone, up 207 percent quarter on quarter. Bookmark uniswap.org. Never reach DEXes from search ads.

What happened to the $400K trader

The victim, by their own retelling on X, did what they had done dozens of times before. They typed "uniswap" into Google. They clicked the top result. It was labeled Sponsored and sat above the organic uniswap.org link, the way ads always do now. The destination looked like the Uniswap interface. They connected their wallet, started what they thought was a routine swap, and signed the popup that came up.

Within seconds, every tradable token across their connected addresses moved out. The on-chain total reported across the protos.com and cryptotimes.io writeups landed near $400,000, described by the victim as their life savings. The attacker used a malicious token approval to authorize itself to spend the wallet's balances, then executed a batched transfer that swept everything in a single flow.

Uniswap founder Hayden Adams picked it up publicly, calling on Google to do more about sponsored phishing ads that impersonate the protocol. His call mirrors a complaint Coinbase, Trezor, Ledger, and MetaMask have made for years: search-ad infrastructure keeps approving lookalike domains that real teams cannot get taken down fast enough.

This is not an isolated event. Scam Sniffer's Q1 2026 report logged $6.27 million stolen through signature-phishing alone in the first three months of the year, a 207 percent jump quarter over quarter. Google Ads is one of the highest-converting delivery channels in that wave.

How the fake ad outranked the real Uniswap site

Sponsored placements live above the organic results. They are bought, not earned. A scammer running a clean-looking Google Ads account can outbid Uniswap's own ad spend (or simply target a window when Uniswap is not bidding) and sit at position zero on the search results page for hours or days before takedown.

What makes the trick work is that Google now shows the display URL the advertiser chose, which can look like uniswap.org even when the click destination is a different domain. The user's eye reads "uniswap.org" and clicks. The actual landing page is the punycode clone described below.

We covered the broader version of this attack in our search engine phishing writeup. Coinbase, MetaMask, Trezor, and every major bank have been impersonated through Google Ads in the past 18 months. Pattern stays the same; only the logo changes.

Why Google's brand-impersonation filter keeps failing

Google publishes a Safety Report claiming billions of bad ads removed per year. The number is real. The problem is throughput: scammers rotate landing pages in minutes, swap LLC names every few days, and run ads in geographic windows where Google's review is slowest. By the time the ad is gone, the wallet is empty. There is no Google-level appeal that brings funds back.

The Punycode clone: looks like uniswap.org, isn't

The landing page lived on a Punycode domain. Punycode is the encoding that lets non-ASCII characters appear in URLs. International domains use it legitimately, but attackers abuse it to substitute lookalike characters from Cyrillic, Greek, or Armenian alphabets.

In this campaign the fake URL used a Cyrillic а (U+0430) in place of the Latin a in "uniswap." The two characters render identically in most fonts. In the address bar, the URL reads as uniswap.org. Behind the scenes it resolves to xn--uniswp-pyc.org or a similar punycode-encoded host. Modern browsers display a punycode warning only when the script mix is suspicious, and many homograph attacks slip past that heuristic.

This is the same playbook we documented in the stable.xyz lookalike drainer, the free-hosting Vercel drainer pages, and the Hyperliquid airdrop checker scam. The brand changes, the homograph mechanic does not.

How AngelFerno actually empties the wallet

AngelFerno is what the underground market calls a drainer-as-a-service kit (DaaS). The operators of AngelFerno run the smart contract and the back-end. Affiliates run the front-end (the phishing site) and split a cut, usually 20 to 30 percent, with the kit operators. This is the same business model that Pink Drainer ran before its end-May shutdown, and the same model Inferno Drainer, MS Drainer, and Angel Drainer operate today.

The technical flow on a Uniswap-style clone goes like this. The fake site loads what looks like the Uniswap swap UI. You click "Connect Wallet." MetaMask, Rabby, or Coinbase Wallet pops up and asks for connection. Connection alone does not move funds.

Next, you click "Swap." Instead of building a real Uniswap transaction, the site asks your wallet to sign a Permit2 signature. Permit2 is a real Uniswap contract that lets a user grant token-spending allowance to a third party without sending a transaction. It is meant for legitimate UX (gas-free approvals). Drainers weaponize it because a signature feels safer than a transaction; users get trained to click through signature popups and most wallet UIs do not surface the spender address and amount clearly.

The malicious Permit2 payload requests unlimited spending allowance on every valuable token in your wallet, granted to an attacker-controlled router contract, with a far-future deadline. You sign. No transaction is broadcast at that moment. No gas leaves your wallet. The site shows a generic "swap failed, please retry" error and the page closes.

Minutes or hours later, the attacker submits a single execute transaction calling the Permit2 router with your signed approval. It transfers everything in one batched call. By the time you see the on-chain notification, the funds are bridged out. We have a deeper breakdown of the contract mechanics in our Permit2 signature attack explainer.

Newer variant: Google Sponsored ad to sites.google.com path (late May 2026)

The Punycode clone is the playbook AngelFerno affiliates have run for months. The newer twist surfacing in late May 2026 abuses the same Google Sponsored ad slot but routes victims to sites.google.com path-based pages instead of a punycode lookalike. Two live attack URL patterns from the current wave:

  • https://sites.google.com/new-app-uniswap.org/explore/uniswp?gad_source=1...
  • https://sites.google.com/newconnectapp.com/sss/uni?gclid=...
🛡 LIVE CHECK

Test a suspicious link right now

Got a phishing email or text? Click any red-dotted domain above, or paste your own suspicious link. Our 3-layer engine (Local + APIs + AI) returns a verdict in ~3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

The hostname is real Google. The path does all of the impersonation work. Six stacked techniques make this variant especially dangerous:

  1. Free-hosting parent legitimacy. sites.google.com is a real Google product (Google Sites). Most safe-browsing blocklists will not flag the whole platform because billions of legitimate pages live on it. A scammer publishes a single phishing page on a free Google Sites sub-path and inherits Google's TLS certificate, uptime, and reputation for free. PhishTank and URLhaus often suppress reports against sites.google.com paths because false-positive risk is too high at the platform level.
  2. Brand name moved into the path. Because the host cannot be the impersonating string, the attacker pushes the target brand into the URL path. The segment /new-app-uniswap.org/ reads like a Uniswap-affiliated URL to a casual user. The registrable domain is google.com, but the eye stops at the recognizable brand word in the middle of the URL.
  3. Domain-in-path camouflage. The path segment is itself a registered lookalike domain (new-app-uniswap.org, newconnectapp.com). Some browsers truncate long URLs in the address bar and surface only the lookalike fragment, hiding the sites.google.com prefix and reinforcing the illusion the user is on a Uniswap-related site.
  4. Abbreviation evasion. The second path segment uses a cropped form of the brand name (uniswp, sss/uni). Simple string-match detectors keyed to the full word "uniswap" miss the abbreviated variant. Crypto users recognize "uni" as the Uniswap token ticker, so the abbreviation reads as on-brand to the target audience while flying under naive filters.
  5. Google Ads referral query parameters. The gad_source=1 and gclid=... parameters confirm the click originated from a Google Sponsored placement. The same operator typically also runs parallel Bing and Yandex ad campaigns pointed at sibling URLs. Each click feeds attribution back to the affiliate dashboard, so traffic and conversion are measured exactly like a real growth campaign.
  6. Rapid URL rotation. When one path is reported and Google Sites takes it down, the affiliate redeploys the same template under a fresh sites.google.com sub-path within minutes. The Google Ads creative is updated to point at the new path. Reputation-based blocklists that catalogue exact URLs lag behind every rotation. The same takedown-resistance pattern is documented for Vercel and Netlify free-hosting drainers in our free-hosting drainer writeup.

Once the user lands on the page, the rest of the attack is identical to the Punycode-clone variant: Uniswap-style swap UI (HTML and CSS lifted from the real app), "Connect Wallet" prompt, and a Permit2 unlimited-allowance signature payload on swap click. The wallet-drainer back-end is the same. Only the delivery surface changed.

Other free-hosting platforms abused in parallel waves through 2026: vercel.app, netlify.app, web.app (Firebase), pages.dev (Cloudflare Pages), github.io, gitbook.io, notion.site, framer.website, webflow.io, replit.app, glitch.me, ipfs.io, wixsite.com, wixstudio.com, weebly.com, and godaddysites.com. The parent platform is legitimate in every case. The path or subdomain holds the phishing payload.

Red flags that should have stopped the click

  • The result was labeled Sponsored. Real Uniswap rarely buys ads on its own brand name in 2026, and even when it does, the trust assumption "sponsored = legit" is dead.
  • The hover URL did not match a known Uniswap host. Real Uniswap lives at app.uniswap.org and uniswap.org. Anything else is suspect.
  • The address bar showed the punycode warning (in newer Chrome and Firefox builds). The display flips to xn--... when the script mix is unusual. Users who saw it and ignored it paid for it.
  • The wallet popup asked for a Permit2 signature instead of a transaction. On a real swap, you sign a transaction and pay gas. A signature with no gas estimate that requests unlimited allowance on multiple tokens is a drainer pattern.
  • The "swap failed" error was instant, with no on-chain hash. Real DEX failures return a revert reason and a transaction hash you can paste into the explorer.
  • The page domain did not match the wallet popup origin string. Wallets show the requesting origin in fine print. Many users do not read it. AngelFerno hosts work because of that gap.

What to do if you already signed

Move now. Every minute is a minute the attacker has to broadcast the execute call. The order of operations matters.

Open revoke.cash on a clean tab. Connect the same wallet. Look at the Permissions tab. Sort by date. Anything signed in the last hour that is not a known protocol is hostile. Revoke it. Each revocation is its own transaction, so you need a small amount of ETH or the chain's native gas token in the wallet to clear them.

If the wallet is on multiple chains, revoke on each. Drainer kits often spray approvals across Ethereum, Base, Arbitrum, Optimism, and Polygon in one signature batch using Permit2's cross-chain capable flow. Check each network on revoke.cash separately.

Move everything left to a fresh wallet. Generate a new seed phrase in a clean app on a different device if possible. Transfer remaining tokens to that new wallet. Do not reuse the old one even after revoking, because more approvals may exist than you can see (some drainer payloads hide spender addresses behind proxy contracts).

If the wallet was a hot wallet on a phone or browser with no hardware key, treat the seed as compromised. The attacker did not need it for this attack, but if any browser extension or any visited site logged or sniffed it, future drains are possible. Retire it.

Report to Chainabuse, the relevant chain's analytics (Etherscan tip line, Blockscout abuse), and file with FBI IC3 if you are in the US. The funds are almost never recovered, but reporting feeds the takedown pipeline that gets the affiliate domains pulled faster. See our wallet-drained recovery guide for the longer 24-hour and 7-day checklist.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures run directly in the browser before the page renders. Punycode and Cyrillic homograph detection is baked in. Any host whose unicode-decoded form matches "uniswap" but whose registrable domain is not uniswap.org gets flagged red. The same logic catches lookalikes for Coinbase, MetaMask, PancakeSwap, Curve, Aave, and every other DEX in the brand database. Free-hosting path-based detection added in the v2.9.9 release covers sites.google.com, vercel.app, netlify.app, web.app, pages.dev, github.io, gitbook.io, notion.site, framer.website, webflow.io, replit.app, glitch.me, wixsite.com, wixstudio.com, weebly.com, and godaddysites.com — when the path or subdomain contains a brand impersonation token, a crypto-abbreviation pattern (uni, eth, usdt), red-flag keywords (connect, claim, airdrop, verify), or Google Ads referral parameters (gad_source, gclid), the page is flagged before the wallet popup can fire.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs server-side. AngelFerno affiliate domains tend to surface on PhishTank within a few hours of going live. The API tier picks them up automatically.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel variants that have no entry in any blocklist yet. When a fresh AngelFerno landing page loads, the AI scan compares structure (Uniswap-style UI, wallet connect button, swap form) against the real brand and against the visited domain. A mismatch returns a danger verdict in seconds. Premium also adds wallet-drainer script signature matching for the Inferno, Angel, Pink, MS, and AngelFerno families directly.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Block fake Uniswap and DEX phishing before the signature popup

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge. It blocks fake DEX clones, wallet drainers, and Permit2 signature traps before the page renders. The local layer catches 550+ brands including Uniswap, MetaMask, Coinbase, Phantom, Rabby, and Ledger. AI deep scan (Premium) catches new affiliate domains the same day they appear, even when no blocklist has them yet.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

Frequently asked questions

What is AngelFerno and is it new?

AngelFerno is a drainer-as-a-service kit, meaning a packaged smart contract plus drainer back-end that affiliates rent to run their own phishing sites. It is not new in concept (Inferno Drainer, Angel Drainer, MS Drainer, and Pink Drainer used the same model) but it became one of the more active kits in spring 2026 after Pink Drainer announced its shutdown at the end of May. Affiliates of older kits migrate to whichever operator still pays out and still rotates infrastructure fast enough.

How did the attacker outrank uniswap.org on Google?

By buying a sponsored ad slot. Google Ads sells the position above organic results. Anyone with a clean-looking Ads account can target the keyword "uniswap" and outbid the protocol or appear when Uniswap is not actively bidding. Google's brand-impersonation filter does not catch every lookalike landing page, especially when the affiliate rotates LLC names and creative every few days. Hayden Adams publicly called on Google to act on this exact pattern in late May 2026.

What is a Permit2 signature and why is it dangerous?

Permit2 is a real Uniswap contract that lets a wallet grant token-spending allowance to a third party by signing a typed message rather than sending an on-chain transaction. Legitimate apps use it for gas-free approvals. Drainers abuse it because a signature feels safer than a transaction (no gas, no popup confirming a value transfer) and most wallet UIs do not surface the unlimited-amount or far-future-deadline parameters clearly. Once signed, the attacker can call execute later and sweep every approved token in one batched transaction.

How can I tell a Punycode lookalike URL from a real one?

Click the address bar and look at the full URL. Modern Chrome and Firefox display the punycode-encoded form (starts with xn--) when the unicode script mix looks unusual. If the URL flips to xn--... when you click in, the page is using non-Latin characters that look like Latin ones. Real uniswap.org is pure ASCII. Better yet, never reach DEXes from search results. Bookmark the real domain and reach it from the bookmark only.

Can I recover the $400K if I was the victim?

Direct recovery from the drainer wallet is almost never possible. The funds get bridged through mixers (Tornado Cash on the source chain or eXch on alt-chains) within minutes. Realistic paths are: file with FBI IC3, report on Chainabuse, alert the relevant DEX team (Uniswap Labs has a dedicated address for these reports), and notify any centralized exchange the funds touched so they can freeze if the attacker tries to off-ramp. Recovery scams promising guaranteed recovery for an upfront fee are themselves scams. Do not pay any third party promising to "trace" or "recover" funds.

Are scammers really hosting Uniswap phishing pages on sites.google.com?

Yes, this is a live and growing variant since late May 2026. The attacker runs a Google Sponsored ad for the keyword "uniswap" or related terms ("uni swap", "uniswap connect", "uniswap claim") that points at a free Google Sites page at a path like sites.google.com/new-app-uniswap.org/explore/uniswp or sites.google.com/newconnectapp.com/sss/uni. The page hosts the same Uniswap-style UI and Permit2 drainer payload as the Punycode-clone variant. The trick is that the hostname is real Google, so the page inherits Google's certificate and trust signals, and most safe-browsing blocklists hesitate to flag the whole sites.google.com platform. Detection has to look at the path, not just the registrable domain. Other free-hosting platforms abused the same way include vercel.app, netlify.app, web.app, pages.dev, github.io, gitbook.io, notion.site, framer.website, and a dozen more.

Why does the phishing URL keep changing?

Affiliate drainer kits run takedown-resistance by design. Each campaign uses a template (Uniswap-style HTML, drainer back-end contract, Google Ads creative) that can be redeployed under a fresh path in minutes once the previous one is reported. The Google Ads platform is also part of the rotation: when one ad creative gets flagged, the operator pauses it, switches to a parallel Ads account, and resumes pointing at the new landing path. URL-exact blocklists always lag rotation, which is why pattern-based and content-based detection layers matter more than reputation alone.

Does SafeBrowz block fake Uniswap sites before the wallet popup?

Yes. Layer 1 local detection runs before the page renders, so the SafeBrowz danger overlay appears before the page can request a wallet signature. Uniswap is in the 550+ brand database. Punycode and Cyrillic homograph detection catches the standard AngelFerno URL pattern. Premium adds AI deep scan and drainer-script signature matching for new affiliate domains the moment they go live. Free version covers the majority of known patterns. Install link is at the top and bottom of this page.

Last updated 2026-05-31

Related SafeBrowz coverage