April 17, 2020

Dozens Of Chrome Extensions Discovered Emptying Crypto Wallets


Google Chrome has earned high marks for security ever since it arrived on the scene more than a decade ago. Like any app, however, Chrome is only as secure as the person using it allows it to be.

Several cryptocurrency enthusiasts have learned that the hard way after their cryptocurrency wallets were drained dry. The keys to their coins were pilfered by malicious Chrome extensions.

The criminal hackers behind the browser add-ons managed to sneak them past the Chrome Web Store’s automated defenses. Not just one or two, mind you. In total this campaign involved 49 different extensions.

The first uploads appeared in February and the pace gradually increased over the next two months. They’ve all since been removed by Google, less than 24 hours after the disclosure of the campaign by a team of experts from MyCrypto and PhishFort.

These extensions were hiding in plain sight, impersonating trusted crypto players like Ledger, Trezor, and MyEtherWallet. That helped lend an air of legitimacy to the Web Store listings — which were further boosted by bogus reviews.

Once installed, the extensions laid in waiting until a user attempt to access a crypto wallet. That’s generally a very secure process involving the entry of several secret words.

It’s those secrets that the extensions were after. The malicious extensions injected their own convincing login flows. Users unwittingly keyed in their secrets which were then funneled to a bevy of command and control (or C2) servers.

As part of their efforts to investigate this campaign, MyCrypto intentionally sent funds to a handful of wallets and entered secrets into the malicious forms. These test wallets have yet to be emptied, and MyCrypto believes there are two likely reasons why.

The first is that the attackers may only be interested in emptying high-value wallets. Going after smaller targets increases exposure without netting a big pay day.

The other is that it’s only a matter of time. The criminals who built these extensions may be waiting for the dust to settle before draining MyCrypto’s wallets manually.

Incidents like this one don’t have to shake your trust in Chrome, Google, or cryptocurrency. Protecting yourself doesn’t have to be difficult.

Limit the number of Chrome extensions you install and carefully vet those you do. Read reviews and look for copy and paste text and single-word testimonials like ‘good’ and ‘legit.’

It’s a good approach for any Chrome extensions you’re thinking of installing… but absolutely critical for something as important as dealing with cryptocurrency.

By Lee Mathews

Leave a Reply