Select Page

Google has ousted 49 Chrome browser extensions from its Web Store that masqueraded as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies.

The 49 browser add-ons, potentially the work of Russian threat actors, were identified (find the list here) by researchers from MyCrypto and PhishFort.

“Essentially, the extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files,” explained Harry Denley, director of security at MyCrypto. “Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.”

Although the offending extensions were removed within 24 hours after they were reported to Google, MyCrypto’s analysis showed that they began to appear on the Web Store as early as February 2020, before ramping up in subsequent months.

In addition, all the extensions functioned alike, the only difference being the cryptocurrency wallet brands that were impacted — such as Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey — via 14 unique command-and-control (C2) servers that received the phished data.

images from Hacker News