Researchers from MyCrypto and PhishFort first identified the list of 49 Google Chrome extensions that hijacked crypto wallets. It was potentially the work of Russian threat actors, according to the research. Harry Denley, director of security at MyCrypto, explained that the extensions were phishing for secrets, mnemonic phrases, private keys, and Keystore files. Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts, he added.
Google removes 49 extensions within 24 hours of reporting.
The offending extensions were removed within 24 hours after they were reported to Google. MyCrypto’s analysis showed that they began to appear on the Web Store in early February 2020, before ramping up in subsequent months. In addition, all the extensions worked alike, the only difference being the crypto wallet brands that were affected. Crypto wallets such as Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey were targeted via 14 unique command-and-control (C2) servers that received the phished data.
Funds were stolen from every account in different ways.
Funds were stolen from different crypto wallet brands in different ways. MEW CX, the malicious add-on targeting MyEtherWallet, was found capturing the seed phrases and transferring them to an attacker-controlled server to drain the victim’s wallet of digital funds. The researchers speculate that this could be either because the criminals are after high-value accounts only or that they have to sweep the accounts manually. The researchers further revealed that some of the extensions came with fake five-star reviews, thus increasing the chances that an unsuspecting user might use the extension.
In February, the company removed 500 malicious extensions after they were caught working adware and sending users’ browsing activity to C2 servers under the control of attackers. Harry Denley, director of security at MyCrypto, said that there was also a network of vigilant users who penned legitimate reviews about the extensions being malicious. However, it is hard to tell if they were victims of the phishing scams themselves, or just helping the community not to download, he added.
