An NFT influencer said on Twitter that he unintentionally downloaded malicious malware discovered via a Google Ad search result, losing "a life-changing amount" of their net worth in nonfungible tokens (NFTs) and cryptocurrency.
On Jan. 14, the Twitter user going by the name "NFT God" posted a string of tweets detailing how his "entire digital livelihood" had been compromised, including his crypto and numerous internet accounts.
NFT God, also known as "Alex," claimed to have downloaded OBS, an open-source video streaming program, via Google's search engine. However, he chose to click on the sponsored advertisement for what he believed to be the same thing rather than the official website.
It wasn't until hours later, after a series of phishing tweets from attackers on two Twitter accounts Alex manages, that he recognized malware had been downloaded alongside the software he sought from the sponsored advertisement.
Alex discovered his crypto wallet had been compromised after receiving a message from an acquaintance. Attackers broke into his Substack account the next day and sent phishing emails to his 16,000 subscribers.
According to blockchain data, Alex's wallet included at least 19 Ether (ETH) worth almost $27,000 at the time, a Mutant Ape Yacht Club (MAYC) NFT with a current floor price of 16 ETH ($25,000), and many additional NFTs.
Before moving the majority of the ETH to the decentralized exchange (DEX) FixedFloat, where it was exchanged for unknown cryptocurrencies, the attacker moved it through several wallets.
Alex thinks that setting up his hardware wallet as a hot wallet by inserting its seed phrase "in a way that no longer kept it cold," or offline, facilitated the wallet attack and gave the hackers access to his crypto and NFTs.
Unfortunately, the crypto community has had to deal with cryptocurrency-stealing malware in Google Ads before, as demonstrated by NFT God's experience.
Binance CEO Changpeng "CZ" Zhao warned in October that Google search results were promoting cryptocurrency phishing and scamming websites.
According to a report from cybersecurity company Cyble, "Rhadamanthys Stealer" is a malware that steals information and spreads via Google Ads on "highly convincing phishing webpage[s]."
Google says in its help center that it "actively works with trusted advertisers and partners to help prevent malware in ads," and that it uses "proprietary technology and malware detection tools" to scan Google Ads on a regular basis.
We were unable to duplicate Alex's search results or confirm whether the malicious website was still active at the time of writing.