The sponsored link was the trapdoor. The wallet was the floor.

Marcus is thirty-four. He runs project timelines for a software company in Denver. On Sunday night, May 24, he is at his desk in sweatpants, the hardware wallet in the top drawer, the laptop open to a half-finished Slack reply he is not going to send tonight. He decides to swap some ETH for a smaller token he has been watching. He has done this maybe forty times. He knows the steps.

He types "uniswap" into Google.

He clicks the first result.

It looks right. The logo. The pink. The Connect Wallet button in the upper corner. He plugs in the hardware wallet, taps through the prompts, signs what the interface tells him is a routine connection. The page hangs for a second. He refreshes.

The wallet is empty.

Not low. Empty. The token balances that took him four years to assemble are gone in the time it takes to refresh a browser tab.

He did not click a link in a Discord DM. He did not get phished by a fake support agent. He did what every security guide tells you to do. He went to Google. He typed the name himself. He clicked the top result.

The top result was a paid ad.

This is the machine.

I.

On Monday, May 25, 2026, an on-chain investigator who goes by b-block posted two wallet addresses to X. The wallets, b-block said, belonged to attackers running a Uniswap phishing site. At the time of the post, the two addresses held a combined 146 ETH, worth roughly $306,000. BeInCrypto, reporting the next day, put the total drain at "at least $400,000" across multiple victims.

The two addresses, for the record: 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb and 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2.

Anyone with a block explorer and a few minutes can watch the funds sit there. Or watch them move. By the time you read this, they will probably have moved.

This is not a hack. Nothing was broken into. No code was exploited. The Uniswap smart contracts, which I have read and which thousands of people have audited, did exactly what they were designed to do. The wallet, which is just a private key, did exactly what it was designed to do. Marcus signed the transaction. The transaction was valid.

The lie was in the room he thought he was standing in.

II.

Here is what a phishing drainer actually does, because most articles describe it badly and the technical detail is where the dread lives.

When you "connect a wallet" to a legitimate site like Uniswap, you are not transferring anything. You are saying: this browser tab can read my address. Fine. Harmless.

The next step is where the trapdoor sits. To actually swap tokens, you sign what is called a token approval. That is a small message that says: this smart contract is allowed to move this amount of this token on my behalf. On Uniswap, the contract you are approving is Uniswap's. The amount is usually the amount you are swapping.

On a phishing clone, the contract you are approving is the attacker's. The amount is usually unlimited. The token list is usually every token of value in your wallet.

The signature looks almost identical in the wallet popup. The fine print is in hexadecimal. Almost nobody reads hexadecimal. I do, and I have still missed it.

Once you sign, the attacker's contract has permission. It does not need to ask again. It pulls everything. Sometimes in one transaction. Sometimes in a sequence over the next few minutes. The wallet shows zeros before most people have refreshed the page.

This is the part Marcus did not know. He had been told for years that hardware wallets are safe because the keys never leave the device. That is true. The keys did not leave. He just used them to sign his own permission slip.

III.

The bait is older than crypto. A paid ad on a search engine, sitting one pixel above the real result, dressed in the same colors as the thing it is impersonating.

The security nonprofit SEAL reported in March 2026 that a single wave of malicious Google ads targeting crypto users had drained $1.27 million between March 13 and March 30. Over the previous year, SEAL said it had blocked more than 356 malicious ad links. On May 22, three days before b-block's post, the security firm GoPlus issued a public warning that fake Uniswap sites were again appearing in Google search ads.

Three days.

The warning was already public. The ad was still running.

Stacy Muur, who runs a Web3 marketing agency, has been one of the louder voices asking why this keeps happening. Her question is simple. How does a paid ad impersonating one of the largest names in DeFi clear Google's automated checks for "weeks" or "years," to use her word? BeInCrypto reported approaching Google for comment. Google's response was not in the piece.

Hayden Adams, the founder of Uniswap, said publicly in February 2026 that his company has been fighting scam ads "for years" and that fraudulent apps and fake ads persist despite reporting. That was three months before Marcus typed "uniswap" into a search bar.

The Uniswap team did not build the trap. They are not where it lives. The trap lives in the ad slot above their official link, in a system Google operates and Google profits from.

IV.

It would be easy to write this as Marcus being careless. He was not careless. He did the things careful people do. He used a hardware wallet. He typed the URL into the search bar instead of clicking a link from a stranger. He had done this dozens of times before without incident.

The mechanism does not punish carelessness. It punishes habit.

When you have used a search engine to find a site forty times, you stop reading the URL. You click the top result because the top result has always been the right result. The attackers know this. They are not exploiting a vulnerability in the wallet or in the protocol. They are exploiting a vulnerability in how human attention works after the hundredth repetition of a task.

The FBI's 2025 Internet Crime Report, released earlier this year, recorded 181,565 cryptocurrency-related complaints totaling $11.36 billion in losses. Phishing and spoofing alone, narrowed to crypto, accounted for 7,164 complaints and over $111 million reported. Chainalysis put 2025's total stolen crypto over $17 billion and noted impersonation scams growing 1,400% year over year.

Fourteen hundred percent.

These are not edge cases anymore. This is the dominant attack surface in retail crypto. Not exotic exploits. Not flash loans. Not bridge hacks. A sponsored ad and a wallet signature.

V.

Marcus sat at his desk for a long time after he refreshed the page.

He opened the block explorer. He typed in his address. He watched the outgoing transactions, all signed by him, all valid, all timestamped within ninety seconds of his connection. He found the contract that had pulled the funds. He found, eventually, the two wallets b-block would post the next day.

He thought, at first, that he had made a mistake. That he had typed the URL wrong. He went back to Google and searched again. The sponsored ad was still there. He clicked it, carefully this time, and read the URL bar. It was one character off from the real one. A letter that looked like another letter. The kind of thing your eye corrects without telling you.

The site was still live. It was still taking signatures.

He took a screenshot. He sent it to a friend who works in security. The friend told him there was nothing to do. The funds were already moving through a mixer. The wallets would be drained and refilled and drained again. The ad would run until Google pulled it or until the attackers killed it themselves and moved to a new domain.

Marcus did not call the police. There is nobody to call.

VI.

Here is the part that may be the saddest.

The defenses people are told to use against this are mostly theater. "Verify the URL." Marcus verified the URL. He just verified it the way a tired person verifies anything they have done a hundred times before. "Use a hardware wallet." He used a hardware wallet. The hardware wallet signed exactly what he told it to sign. "Don't click suspicious links." He didn't click a suspicious link. He clicked a Google ad.

The real defenses are smaller and uglier and most people will not do them.

Bookmark the real site. Use the bookmark every time. Do not search.

Read the signature prompt. Every time. Even when you are tired. Even when you have done it a hundred times. If the contract address is not the one you expect, stop.

Revoke token approvals on a schedule. Tools like revoke.cash will show you every contract that currently has permission to move your funds. Most people have approvals sitting in their wallets from years ago, for protocols they have forgotten about, for sums they assumed were one-time and were actually unlimited.

These are not exciting defenses. They are the ugly questions. Did you check the address character by character. Did you read the hex. Did you revoke the old approvals. The exciting question is which token to buy. The ugly question is whether the room you are standing in is the room you think.

VII.

The two wallets b-block flagged will not be the only two. The site Marcus clicked is not the only site. The campaign that drained $1.27 million in March will not be the campaign that ends this. Take the domain down and another one will be registered by Tuesday, paid for in stablecoins, the ad bought from an account that was set up an hour before launch.

This is the machine. A sponsored link. A clone. A signature prompt. A drained wallet. Repeat.

The wallets identified this week hold 146 ETH today. They will hold something different tomorrow. The thing that does not change is the ad slot.

Marcus still trades. He bookmarked the real Uniswap site. He revoked his old approvals. He keeps a smaller balance in the hot wallet now and most of the value cold.

He told me he does not blame himself. He blames the architecture.

He is right about the architecture. He is wrong about the blame. The two are not actually separate. The architecture works because each individual person decides, in the moment, that they are the careful one. The machine does not need everyone to fall. It only needs enough.

The sponsored link was the trapdoor.

The floor was always the wallet.