49 Crypto Phishing Extensions Shut Down on Google Chrome

Search engine giant, Google has removed several malicious extensions on its popular web browser, Google Chrome. Apparently, these programs were mimicking a number of cryptocurrency wallet apps like Ledger, MyEtherWallet, Trezor, Electrum, and others, in order to steal the private keys and other sensitive information of users.

Google has removed a total of 49 Chrome extensions from the Web Store following a report that exposed these programs as containing malicious code. These extensions were posing as legit crypto wallet apps, but in reality, were secretly stealing users’ private keys, mnemonic phrases and other sensitive information. 

The crypto phishing extensions were discovered by the Director of Security at MyCrypto, Harry Denley, who shared his findings in an April 15 post on Medium. In the report, he explained how he was able to identify the extensions with the help of PhishFort, a phishing-specialized cybersecurity firm. Upon notifying Google, the search engine giant promptly took down the apps from the Chrome web store within 24 hours.

The Malicious Extensions Mimicked well-known Wallet Apps

Denley explained that the extensions operated by mimicking popular wallet apps and tricking users into installing them. Ledger, Electrum, Trezor, Jaxx, KeepKey,  MyEtherWallet, Exodus, and MetaMask are among the crypto wallets that were mimicked by the extensions

Some of the extensions even featured five-star ratings in the Chrome web store, though a closer look revealed that the reviews posted were from fake users. One of the apps even had a single review copied and pasted multiple times by different users and included an introduction to Bitcoin along with an explanation as to why that particular extension was the ideal wallet option for the cryptocurrency. However, the targeted wallet, MyEtherWallet does not currently support BTC.

How did the Crypto Wallet Information Phishing Work?

Denley’s report explained that they were able to find a number of Google ad campaigns and other forms of marketing that were designed to target well-known brands.

“Whilst the extensions all function the same, the branding is different depending on the user they are targeting,” he stated. 

Essentially, they pose like legit crypto wallet apps but they contain malicious code that steals users’ private keys, mnemonic phrases, Keystore files, and other important information. 

Any secret info typed in while using the extension is instead sent to the scammer’s remote server, without the user suspecting any foul play. After typing the info, the program would remain in the default view, resulting in the user re-typing the info or uninstalling the app in frustration. Unbeknownst to them, the hackers have already gained access to their original wallet apps.

The Extensions may have come from Russia

One interesting detail is that the funds were not stolen right away as it would seem that the hackers were mainly interested only in high-value accounts. Delaney also stated that all the 49 extensions likely originated from a single source, most likely Russia, since “the admin email follows this mask: “b — 0@r — r.ru” — potentially indicating Russia-based actors.”

In any case, it’s become even more important to be diligent about crypto wallet security and adhere to best practices to properly safeguard their crypto assets.