A Google-sponsored advertising link housed malware that stole thousands of dollars in crypto and NFTs from an influencer’s wallet.
An NFT influencer claims they lost “a life-changing sum” of their net worth in nonfungible tokens (NFTs) and cryptocurrency after downloading malicious malware from a Google Ad search result.
On January 14, the pseudo-anonymous Twitter influencer known as “NFT God” issued a series of tweets outlining how his “entire digital livelihood” was attacked, including a hack of his crypto wallet and multiple internet identities.
NFT God, also known as “Alex,” said he downloaded OBS, an open-source video streaming programme, using Google’s search engine. Instead of going to the official website, he went to a sponsored advertisement for what he assumed was the same item.
It wasn’t until hours later, after a series of phishing tweets from attackers on two Twitter accounts Alex manages, that he recognised malware had been downloaded alongside the software he sought from the sponsored advertisement.
Alex discovered his crypto wallet had been compromised after receiving a message from a friend. Attackers broke into his Substack account the next day and sent phishing emails to his 16,000 subscribers.
According to blockchain statistics, at least 19 Ether worth approximately $27,000 at the time, a Mutant Ape Yacht Club (MAYC) NFT with a current floor price of 16 ETH ($25,000), and a number of other NFTs were drained from Alex’s wallet.
The majority of the ETH was moved through various wallets before being sent to the decentralised exchange (DEX) FixedFloat, where it was exchanged for unknown cryptocurrencies.
The “key mistake” that permitted the wallet breach, according to Alex, was setting up his hardware wallet as a hot wallet by entering its seed phrase “in a way that no longer kept it cold,” or offline, allowing the hackers to get control of his crypto and NFTs.
Unfortunately, NFT God’s experience is not the first time the crypto community has encountered cryptocurrency-stealing malware in Google Ads.
According to a Jan. 12 investigation from cybersecurity firm Cyble, an information-stealing malware known as “Rhadamanthys Stealer” is spreading via Google Ads on “very convincing phishing webpage[s].”
Binance CEO Changpeng “CZ” Zhao warned in October that Google search results were boosting cryptocurrency phishing and scamming websites.
Cointelegraph reached out to Google for comment, but received no answer. Google, on the other hand, stated in its help site that it “actively works with reputable advertisers and partners to help avoid malware in advertising.”
It also mentions how it uses “proprietary technologies and malware detection tools” to check Google Ads on a regular basis.
Cointelegraph was unable to duplicate Alex’s search results or determine whether the rogue website was still operational.