Prominent Bitcoin developer Jameson Lopp is warning digital asset holders to treat every unsolicited communication as hostile. The alert follows the discovery of a sophisticated phishing scheme that exploits Google's backup contact request forms, weaponizing the tech giant's trusted infrastructure against unsuspecting users.
The attack manipulates the name field in Google's contact forms to display what appear to be legitimate security alerts. Those alerts contain phishing links designed to harvest credentials. Crucially, the phishing emails don't just seem to come from Google-they are actually routed through Google's systems, making them nearly impossible to distinguish from authentic messages.
Lopp's advice is blunt: adopt a zero-trust approach. Independently verify any communication before clicking links or providing information, even when the message appears to come from a trusted source. This is not an isolated incident. In April 2025, Ethereum Name Service lead developer Nick Johnson flagged similar tactics where attackers were abusing Google's platforms for crypto phishing.
The threat is amplified by AI. In February 2026, Google's Threat Intelligence Group discovered AI-developed zero-day exploits capable of bypassing two-factor authentication. Globally, approximately $17 billion worth of Bitcoin was stolen in 2025, with AI-enhanced scams contributing significantly. The average scam payout jumped 253% from 2024 to 2025.
Zero trust means never assuming a message is safe based on its apparent origin. If you receive an email from Google about suspicious account activity, do not click the link. Instead, open a new browser tab, navigate directly to Google, and check your account settings manually. The sharp increase in average scam payouts indicates attackers are increasingly targeting higher-value wallets.