Hackers Use Malicious Google Ads to Steal $4 Million in Crypto Stablecoin

Hackers used malicious Google ads to trick users into giving up their private key to steal their cryptocurrency. 

The cybercriminals targeted people who hold UST, a popular cryptocurrency that aims to remain pegged to the U.S. dollar from the Terra blockchain—a so-called stablecoin currently vying for dominance in decentralized finance, or DeFi. The phishing operation was spotted by cybersecurity firms Knownsec Blockchain Labs and SlowMist. According to Knownsec, the hackers have stolen $4.31 million from 52 wallets, which they hacked between April 12 and April 21. Knownsec posted a Terra address that the company says is linked to the hack, which contains 4,111,901 UST tokens ($4,111,901) and 2,089 LUNA tokens—part of the Terra ecosystem—worth $197,269.

Motherboard confirmed that a malicious ad targeting Terra users is the first result when searching “Terra bridge” on Google. The URL on the ad appears to match the real Terra bridge URL, which is bridge.terra.money. But once one clicks on it, instead of going to bridge.terra.money, the user is redirected to bridge.terra.momey.biz. 

Screen Shot 2022-04-22 at 10.12.47 AM.png

That site is currently flagged as “deceptive” by Google and closely resembles the real Terra bridge website, and immediately presents the user with a pop-up asking them to connect their wallet.


A screenshot of the phishing site. (Image: Motherboard)

A screenshot of the real Terra site. (Image: Motherboard)

A moderator of Terra’s official Discord channel, who goes by “Somethingelse,” told Motherboard that he spotted the malicious ads targeting the bridge and reported them to Google. Several people in the Discord channel also warned others of the malicious Google ads. 

According to Somethingelse, malicious ads targeting various aspects of the Terra/Luna ecosystem have plagued investors for months. Another Terra moderator warned users on Twitter in March about ads targeting investors seeking the Anchor lending protocol. 

“For the past few months, Anchor Discord saw a large uptick in users claiming that funds were stolen from their addresses. As the mod team worked with these folks, we started seeing a pattern of users saying they used Google to go to Anchor. After having the users show us their browser history, we could see where they went to a scam site. I can show you an example,” Somethingelse said in an online chat.

Do you have more information this phishing campaign? Or other web3 and crypto hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com

These phishing attacks show how hackers are getting creative in targeting people who hold cryptocurrency. They also show it’s possible to steal millions in crypto even without hacking the crypto company or project directly.

In the last few months, hackers have targeted large crypto companies like the play-to-earn video games Axie Infinity and WonderHero, the stablecoin Beanstalk, the Poly Network, the cross-chain bridge Wormhole, the popular exchange Crypto.com, Multichain, the crypto gaming company Vulcan Forge, BadgerDAO, and crypto exchange BitMart

Google did not immediately respond to a request for comment.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

This post has been read 26 times!

Like Love Haha Wow Sad Angry