A Polymarket trader known as @ika_xbt lost their entire net worth, a mid-six-figure cryptocurrency portfolio, after clicking a fraudulent Google advertisement that impersonated Uniswap. The incident, which surfaced on February 17, 2026, prompted Uniswap founder Hayden Adams to publicly declare that "the ad economy needs to go," reigniting a years-long debate over Google's role in enabling crypto phishing at scale.
The attack used AngelFerno, a wallet-draining script operating under a scam-as-a-service model, and Punycode URLs built with Cyrillic characters that made the fake domain visually indistinguishable from the real Uniswap interface. As of February 21, 2026, cryptocurrency thefts in January alone reached $370.3 million across 40 separate incidents, nearly four times the amount stolen in January 2025.
One Click, Six Figures Gone
The attack followed a pattern that has been documented since at least 2021 but keeps working because Google has not solved it. The victim searched for Uniswap on Google, clicked the top result (a paid advertisement), and landed on a pixel-perfect replica of the Uniswap interface. After connecting their wallet and signing what appeared to be a standard transaction approval, the AngelFerno drainer script gained authorization to sweep the wallet's contents.
The victim later described the loss as resulting from "a long chain of bad decisions" after maintaining discipline for two years. The admission cuts to the core of why these attacks are so effective: they exploit the trust users place in search engine results, not in the DeFi protocol itself.
Forensic investigator ZachXBT called for "severe consequences against Google" for repeatedly allowing phishing ads to appear at the top of search results for major crypto brands. This was not Google's first encounter with the problem. In July 2025, another DeFi user lost $1.2 million through a nearly identical Uniswap phishing ad.
AngelFerno and the Punycode Playbook
AngelFerno is not a lone wolf tool. It operates as a scam-as-a-service platform, providing turnkey phishing infrastructure to attackers who pay a cut of stolen funds. The script has previously been deployed against OpenEden and Curvance websites, and its domains appear on multiple GitHub phishing blocklists.
The technical sophistication of the attack relies on Punycode, an encoding system that allows international domain names to use characters from non-Latin scripts. By substituting Cyrillic characters that look identical to Latin ones (the Cyrillic "a" and Latin "a" are visually indistinguishable but have different Unicode values), attackers create domains that pass a casual visual inspection. A user checking the URL bar sees what appears to be the correct address.
This technique has been a known attack vector for years. Browsers like Chrome began showing Punycode-encoded URLs in their raw form (xn-- prefix) for mixed-script domains back in 2017. But the defense is inconsistent, and Google Ads does not appear to apply the same scrutiny to the display URLs in sponsored results.
Hayden Adams Has Been Fighting This for Years
Adams' frustration is not new. He told his followers that "these scams are horrible, we've been fighting them for years" and noted that counterfeit Uniswap applications had proliferated while the team awaited legitimate App Store approval. The gap between applying for official distribution and actually getting approved creates a window that scammers consistently exploit.
The broader DeFi ecosystem faces a structural problem: decentralized protocols cannot control how users reach them. Unlike a bank that owns its website, its app, and its branch network, a protocol like Uniswap exists as a smart contract on Ethereum. Anyone can build a frontend that interacts with it, and attackers build fronts that look legitimate while injecting approval transactions that drain wallets.
This is why self-custody options come with a double-edged warning. Holding your own keys eliminates counterparty risk (no FTX-style collapse can freeze your funds), but it also means there is no fraud department to call when you sign a malicious transaction. The responsibility sits entirely with the user.
$370 Million in January Alone
According to CertiK data cited by CoinTelegraph, January 2026 saw $370.3 million in cryptocurrency thefts across 40 exploit and scam incidents. That figure is the highest in 11 months and nearly four times January 2025 levels. One individual alone lost approximately $284 million through social engineering.
The trend suggests that as crypto prices remain volatile and new users enter the space, the attack surface for phishing grows faster than the industry's ability to educate users. The problem is compounded by the fact that the most effective phishing vectors are not protocol exploits, they are social engineering attacks that bypass every smart contract audit in the world.
Chainalysis has flagged Google phishing ads as a major attack vector in its annual crime reports. The economics are simple: a scammer pays a few hundred dollars for a Google Ad targeting "Uniswap" or "MetaMask" and potentially nets six or seven figures from a single victim. The return on investment dwarfs almost any other form of cybercrime.
What Crypto Users Should Do Right Now
The most effective defense is also the simplest: never access a DeFi protocol through a search engine. Bookmark the official URL directly. Use browser extensions like the official MetaMask extension that verify contract addresses. Enable hardware wallet confirmation for every transaction, which forces you to physically review and approve each approval on a separate device.
For users who hold crypto on cards rather than directly interacting with DeFi protocols, the risk profile is different but not zero. Custodial card providers like Crypto.com, Coinbase, and Binance maintain their own security layers, but users still need to verify they are on the real platform before logging in. Phishing ads targeting exchange login pages follow the same playbook.
Users of self-custody crypto cards like Gnosis Pay or MetaMask face the same wallet-drainer risk as any DeFi user. The card may be safe, but the wallet it is connected to is only as secure as the transactions you approve.
Practical steps:
- Bookmark everything. Never search for a DeFi protocol or exchange. Type the URL or use a bookmark.
- Use a hardware wallet. Ledger, Trezor, or any device that requires physical confirmation prevents blind signing.
- Revoke unused approvals. Tools like Revoke.cash let you audit and remove token approvals you no longer need.
- Check the URL encoding. If your browser shows an xn-- prefix in the URL bar, the domain uses Punycode and is likely not legitimate.
The Bigger Question Google Will Not Answer
Google's advertising platform generates over $200 billion in annual revenue. Crypto phishing ads represent a microscopic fraction of that total, which may explain why the company has not invested in eliminating them. Every major crypto brand, from Uniswap to MetaMask to Ledger, has seen counterfeit ads appear in search results at some point.
The European Parliament's recent push for the digital euro and evolving SEC stablecoin rules signal a future where crypto payments become more mainstream. As that happens, the pool of potential phishing victims grows. Without a structural fix from Google, or regulation forcing one, the pattern will continue.
Adams' call for the ad economy to end is provocative but points to a real tension: the business model that funds free search is the same one that funds the scam ads appearing at the top of search results.
FAQ
How did the fake Uniswap ad drain the trader's wallet? The victim clicked a Google-sponsored ad that led to a pixel-perfect Uniswap clone. After connecting their wallet and signing a transaction, the AngelFerno drainer script gained approval to sweep all tokens from the wallet.
What is AngelFerno? AngelFerno is a wallet-draining tool operating as a scam-as-a-service platform. It provides turnkey phishing infrastructure to attackers and has been used against multiple DeFi protocols including OpenEden and Curvance.
What is a Punycode attack? Punycode allows domain names to use non-Latin characters. Attackers substitute Cyrillic characters that look identical to Latin ones, creating URLs that appear legitimate but point to malicious sites. The Cyrillic "a" and Latin "a" look the same but have different Unicode values.
How can I protect myself from Google ad phishing? Never access crypto platforms through search results. Bookmark official URLs, use hardware wallets for transaction confirmation, regularly revoke unused token approvals, and watch for xn-- prefixes in URLs that indicate Punycode encoding.
How much was stolen through crypto scams in January 2026? CertiK reported $370.3 million across 40 incidents in January 2026, nearly four times January 2025 levels and the highest monthly figure in 11 months.
Overview
Uniswap founder Hayden Adams publicly condemned Google's ad platform after a trader lost their mid-six-figure net worth to a phishing ad that perfectly mimicked the Uniswap interface. The attack used the AngelFerno wallet-draining tool and Punycode URLs with Cyrillic characters to fool victims. With $370.3 million stolen through crypto scams in January 2026 alone, the incident highlights a structural vulnerability: Google's ad platform remains the most cost-effective phishing vector in crypto, and neither the search giant nor regulators have implemented a fix. Users should never access DeFi protocols through search results, should use hardware wallets, and should regularly audit token approvals.
Recommended Reading
- Scammers Are Mailing Fake Trezor and Ledger Letters
- Specialized AI Detects 92 Percent of Real-World DeFi Exploits
- A Single Misconfigured Oracle Drained $1.78 Million From Moonwell
