Crypto users are now facing more advanced phishing scams, with attackers leveraging Google’s infrastructure to craft highly convincing attacks.
Nick Johnson, lead developer at Ethereum Naming Service (ENS), raised alarms on April 16 regarding a fresh tactic used by cybercriminals to breach Gmail accounts, possibly targeting associated crypto wallets.
As Johnson explained, the attackers leverage a loophole in Google’s system to distribute phishing emails that appear to be legitimate security alerts from the tech giant.
Signed with valid DomainKeys Identified Mail (DKIM) signatures, the emails evade spam filters and appear legitimate to recipients.
Once users access the emails, they are redirected to a deceptive support portal hosted on a Google subdomain.
On the fake page, attackers instruct victims to log in and upload their personal documents.
However, Johnson pointed out that the attackers’ goal appears to be credential theft, which could compromise Gmail accounts and linked services.
Attackers develop phishing pages via Google Sites, a platform that enables embedding content and scripting capabilities.
Though designed to assist real users, threat actors misuse the platform’s flexibility to set up realistic phishing sites.
A major concern is the lack of an abuse-reporting feature within the Google Sites interface, which makes it harder to take down harmful content. He said:
“Google long ago realised that hosting public, user-specified content on google.com is a bad idea, but Google Sites has stuck around. IMO they need to disable scrips and arbitrary embeds in Sites; this is too powerful a phishing vector.”
To add to the illusion of legitimacy, attackers format and share the phishing message using a Google OAuth application they create.
Check out: Google Exposes Government’s Misuse of Gemini AI
These phishing emails are typically well-formatted and feature what appears to be Google Legal Support’s contact info.
Johnson said he took action by notifying Google of the vulnerability via a formal bug report.
Google, however, reportedly claimed that the features operate normally and do not represent a security vulnerability. Johnson wrote:
“I’ve submitted a bug report to Google about this; unfortunately they closed it as ‘Working as Intended’ and explained that they don’t consider it a security bug.”
Despite their response, Johnson urged the company to rethink the availability of script and embedding tools to prevent future abuse.
Phishing tactics in the crypto world are clearly becoming more refined, as this incident demonstrates.
In March 2025, Scam Sniffer reported that phishing scams caused $6.37 million in losses for nearly 6,000 users. For the first quarter, phishing scams affected 22,654 victims, resulting in a total loss of $21.94 million.
