Google has removed 49 malicious Chrome extensions from its Web Store that posed as cryptocurrency wallet apps but were actually stealing private keys to crypto-wallets as well as users’ cryptocurrency.
As reported by ZDNet, the malicious extensions were first discovered by MyCrypto’s director of security Harry Denley who shared his findings with the news outlet.
According to Denley, the 49 extensions all appear to have been created by either the same person or group of people who he believes is a Russian-based threat actor. Additionally all of the extensions have the same functionality but their branding changes based on who they are targeting.
Denley was able to identify malicious extensions impersonating many well known crypto-wallet apps including Ledger, Trexor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus and KeepKey.
Malicious crypto-wallet extensions
All of the 49 malicious extensions function almost identically to legitimate ones except for the fact that any data entered by a user while setting them up was sent to the attacker’s servers or to a Google Form.
While the attackers already have all of the information they need to start stealing users’ cryptocurrency, Denley conducted a test in which he found that the funds from his crypto-wallet were not immediately stolen. He believes this is because the threat actor is either interested in only stealing from high-value targets or they haven’t figured out how to automate the operation and need to manually access each account.
In a post on Medium, MyCrypto explained that there has been an increase in malicious extensions targeting cryptocurrency over the past few months, saying:
“An analysis from our dataset suggests the malicious extensions started to hit the store slowly in February 2020, increased releases through March 2020, and then rapidly released more extensions in April 2020. This means that either our detection is getting much better, or that the number of malicious extensions hitting browser stores to target cryptocurrency users is growing exponentially. An analysis from our dataset suggests Ledger is the most targeted brand — without speculating, it’s hard to say why.”
Since the threat actor behind these malicious extensions has yet to be caught, they may likely try to launch a similar scheme in the future.