Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Malware
  • Hackers use ‘Poison’ Google Ads to steal $50 million in cryptocurrencies
  • Malware

Hackers use ‘Poison’ Google Ads to steal $50 million in cryptocurrencies

Do Son February 19, 2018 6 minutes read
Add Daily CyberSecurity as a preferred source on Google

It is reported that hackers chose to use Google Ads to intrusion. The use of this very basic phishing technique has caused about $ 50 million in total losses over the past three years.

Encrypted currency is typically stored in an exchange’s, mining pool, or user’s personal wallet, making personal computers and exchanges the main target of hackers. Unfortunately, many have suffered such attacks in recent years. The largest of the attacks are well-known in the Encryption World: Mt. Gox and Coincheck, who have suffered the largest hacker in cryptocurrency history and stolen nearly $ 1 billion in two cases, accounting for the first days.

Mt. Gox is a major cryptocurrency exchange until 2014, where it suffered the largest cryptocurrency hacking ever. The amount of the hacking incident is estimated at about 450 million US dollars, resulting in the exchange declared bankruptcy. The shock wave swept the cryptocurrency community, causing Bitcoin prices to plummet.

A recent larger hacker attack occurred at the end of January 2018. Coincheck was hacked, amounting to more than 500 million U.S. dollars, but so far it has remained active due to its solvency. Thanks to the prosperity of the money market in 2017, a large number of investors, trading volume and wealth, Coincheck still has enough reserves to cover its losses. However, while Coincheck did not announce bankruptcy and opened the regulatory era, the prices of BTC and XEM (hacked currencies) remained volatile after the hacking incident.

The hacker incident seems more and larger, hacker’s courage also seems to be growing. But in addition, many of the smaller cryptocurrencies “robbery” have not actually been discussed yet.

According to Talos cybersecurity report, the hacking incident is through Google Ads. Although hundreds of millions of dollars have not been stolen, fifty million dollars remains a non-trivial matter. Especially for those who lost cryptocurrencies in the hacking incident. The blockchain should be transparent, but even if the transaction amount is publicly displayed, the wallet that receives and sends money remains difficult to pin down to the user. For years, hackers kept looting millions of cryptocurrencies because they were able to remain anonymous. Cryptocurrencies are created to provide anonymity to users, but blockchains like BTC are completely transparent. This transparency is beneficial in most cases unless you encounter hackers using the Bitcoin blockchain. Even if the funds were released to which wallet, the true identity of hackers will not be exposed.

Cisco recently shifted its focus to blockchain technology. As a result, they are able to understand the security threats and, further, reveal the dark hands behind a large number of daring hacking incidents. The most recent hacking incident was done by an organization that claims to be Coinhoarder, based in Ukraine. The technology used by these hackers is very basic, but it can attract thousands of people’s attention and money. This simple technique includes hackers publishing ads related to key search terms on Google. These key search terms are directly related to cryptocurrencies. Terms such as “blockchain,” “cryptocurrency wallet,” and “bitcoin wallet,” are search terms that provide malicious advertising.

Ads for these specific search terms mimic legitimate domain names that are specifically used to encrypt currency wallets, such as blockchain.info. Users can not notice the subtle differences in domain names and web presence, which allows hackers to allow unsuspecting users to browse their malicious Web sites for an extended period of time. The landing page for “blokchien.info/wallet” looks almost identical to the familiar blockchain.info. If you do not notice the lack of “ie” or “c” in the URL, you may easily get hooked into the scam. The worst (or the brightest) part is that hackers paid enough to put their malicious links in the better position than the correct version of the site they were mimicking.

Once a user enters a malicious website, they will behave as if they were the first time or habitually visiting the correct website. As a result, they enter personal information that allows hackers to access the correct website’s wallet. After they’ve accessed the user’s wallet, they transfer the funds to themselves and the hacking is done. The whole strategy is to mimic the right website as much as possible and buy Google ads for a premium. Even more shocking is that this phishing scandal has been around for three years, according to a Cisco-Ukraine cyberpolice partnership.

It is now widely accepted that the Coinhoarder Group should be responsible for the many hacking incidents since 2015 and the value and volume of such events soared by the end of 2017 as Bitcoin prices soared. Between September, November, and December three months, more than $ 10 million were stolen. Even if the network of police forces and senior security company to chase after, hackers are still daring. While websites such as Facebook have banned ads related to cryptocurrencies, the technology to simulate phishing scams is still gaining in popularity.

Coin hoarders specialize in phishing scams, but it’s just one of the many technologies that steal cryptocurrencies. According to the report known, the infamous Korean hacker attack organization Lazarus Group, but also through the website mirroring technology phishing fraud. More and more hackers use very basic web mirroring technology to give users the information they need to access their wallet and steal expensive encryption currency. The most recent IP addresses of individuals attacked by hackers are mainly in Africa, Nigeria, and Ghana. This is not surprising given that the underdeveloped regions of the world are the most heavily used currency for cryptocurrencies, while the people there may not have received enough education about anti-fraud. However, a fully mirrored website can easily be confusing unless users actively monitor the URLs they visit.

The bitcoin address to which the stolen funds were transferred is knowable, but we still have no idea what to do with it. The problem is still that the BTC address is anonymous, with nothing but a number, and it is almost impossible to know who holds a suspicious wallet. We can monitor and track funds indefinitely until they are spent or transferred to an exchange. However, no one can guarantee the success of the wallet to find the holder.

The benefits of the blockchain are occasionally its drawbacks. If the blockchain is completely transparent and requires identification, we can find hackers, but decentralization and anonymity cease to exist. Almost everything in life has a trade-off and holds Bitcoin wallets without identification, allowing individuals to hold money with a wallet number in a secure blockchain. In this case, the way hackers spend money will be difficult to capture and expose.

Source: fortune

Related coverage

  • Malicious KMSPico installers is stealing users’ encrypted wallets
  • “Coyote” Trojan Strikes Brazil’s Banks, Experts Warn of Next-Gen Threat
  • Trojanized MSIX Installers: NUMOZYLOD Malware Exploits Popular Software
  • Matanbuchus 3.0 Downloader Pivots to Ransomware, Using Protobufs and QuickAssist for Stealth Access
  • Malicious Traffic Routing Stack Exploited to Spread Global Malware
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Bitcoin Google Ads

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
  • CVE-2026-8481CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.