Hackers used malicious Google ads to trick users into giving up their private key to steal their cryptocurrency.
The cybercriminals targeted people who hold UST, a popular cryptocurrency that aims to remain pegged to the U.S. dollar from the Terra blockchain—a so-called stablecoin currently vying for dominance in decentralized finance, or DeFi. The phishing operation was spotted by cybersecurity firms Knownsec Blockchain Labs and SlowMist. According to Knownsec, the hackers have stolen $4.31 million from 52 wallets, which they hacked between April 12 and April 21. Knownsec posted a Terra address that the company says is linked to the hack, which contains 4,111,901 UST tokens ($4,111,901) and 2,089 LUNA tokens—part of the Terra ecosystem—worth $197,269.
Motherboard confirmed that a malicious ad targeting Terra users is the first result when searching "Terra bridge" on Google. The URL on the ad appears to match the real Terra bridge URL, which is bridge.terra.money. But once one clicks on it, instead of going to bridge.terra.money, the user is redirected to bridge.terra.momey.biz.
That site is currently flagged as “deceptive” by Google and closely resembles the real Terra bridge website, and immediately presents the user with a pop-up asking them to connect their wallet.
A moderator of Terra’s official Discord channel, who goes by "Somethingelse," told Motherboard that he spotted the malicious ads targeting the bridge and reported them to Google. Several people in the Discord channel also warned others of the malicious Google ads.
According to Somethingelse, malicious ads targeting various aspects of the Terra/Luna ecosystem have plagued investors for months. Another Terra moderator warned users on Twitter in March about ads targeting investors seeking the Anchor lending protocol.
“For the past few months, Anchor Discord saw a large uptick in users claiming that funds were stolen from their addresses. As the mod team worked with these folks, we started seeing a pattern of users saying they used Google to go to Anchor. After having the users show us their browser history, we could see where they went to a scam site. I can show you an example,” Somethingelse said in an online chat.
Do you have more information this phishing campaign? Or other web3 and crypto hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email email@example.com
“Several weeks ago we saw an uptick in user feedback across our community channels detailing typosquatting/phishing scams on Google Search, alongside scam ads mimicking the websites of products like Terra Station, the primary wallet for interacting on the Terra network, and others like Anchor protocol, a savings protocol and money market on Terra,” a spokesperson for Terraform Labs (TFL), the company behing the Terra blockchain and the UST stablecoin, said in an email.
“The strategy deployed by the scammers is evolving but mostly includes purchasing fake ads via Google or directing users to copycat websites (i.e., Station, Anchor, etc.) with a similar URL to the actual products' domain, asking users to connect their wallets and deposit funds, which are then absconded with by the scammers. Other methods include typosquatting sites for Station that prompt users to input their seed phrase to steal their funds.” the spokesperson added.
These phishing attacks show how hackers are getting creative in targeting people who hold cryptocurrency. They also show it’s possible to steal millions in crypto even without hacking the crypto company or project directly.
In the last few months, hackers have targeted large crypto companies like the play-to-earn video games Axie Infinity and WonderHero, the stablecoin Beanstalk, the Poly Network, the cross-chain bridge Wormhole, the popular exchange Crypto.com, Multichain, the crypto gaming company Vulcan Forge, BadgerDAO, and crypto exchange BitMart.
A Google spokesperson sent the following statement via email: “Protecting users from ad scams and fraud is a key priority, and we have strict policies that specifically prohibit phishing ads. We've reviewed the advertiser accounts in question and have taken appropriate enforcement action. We will continue to aggressively enforce our policies to prevent future abuse from bad actors.”
UPDATE, Apr. 22, 4:11 p.m. ET: This story has been updated to include a comment from Terraform Labs.
UPDATE, Apr. 25, 10:41 a.m. ET: This story was update to include Google’s comment.