In brief

  • Check Point Research has discovered a crypto phishing scam that has stolen at least half a million dollars.
  • Metamask and Pancake websites have both been mimicked in the scam.

Check Point Research (CPR) has discovered a “massive search engine phishing campaign” that has resulted in at least half a million dollars worth of crypto stolen from users. 

“Over the past weekend, Check Point Research encountered hundreds of incidents in which crypto investors lost their money while trying to download and install well-known crypto wallets or change their currencies on crypto swap platforms like PancakeSwap or Uniswap,” CPR said.

“I just installed the phantom wallet and somehow I ended up downloading the scam,” one Reddit user said, adding, “I am somewhat new to wallets.” 

The scam, CPR found, has also been hitting MetaMask and Phantom users, two popular crypto wallets, with scammers mimicking legitimate websites almost perfectly. 


“Over the past weekend, researchers from CPR spotted multiple phishing websites that looked like the original website, because the scammers copied its design,” CPR added. 

Phantom and MetaMask

For the Phantom domain, users were encountering phishing domains like “” or “,” as opposed to the legitimate “”

The same was true of the scammers’ MetaMask tactics, which saw domains like “MètaMask” appear via Google ad campaigns. In the case of MetaMask, the scammers were also trying to steal user private keys to access their wallets.  

“What makes this phishing campaign unique is the fact that the scammers are not sending phishing links via email like traditional phishing scams,” CPR said. “Instead, they are using Google ad campaigns to make their phishing websites appear before the original site when anyone searches the keyword,” the group added. 


But what can users do to protect themselves? CPR has provided cautionary steps for crypto users.

These include looking at the first website in your search and ensuring that it is not an ad. Users, CPR suggests, should also never give out their passphrase. 

Last but not least, CPR says, “always double-check the URLs.”

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.