Google Removes 49 Chrome Extensions Hijacking Crypto Wallets

Google has removed 49 Chrome extensions masquerading as legitimate crypto wallets. They included malicious code aimed at stealing private keys, mnemonic phrases and other data from users.

April 16, 2020 | AtoZ Markets – With an increasing number of cybercriminals targeting the crypto world, Google announced on April 15 that it has removed 49 new Chrome browser extensions. Google deleted the extensions from Chrome’s store within 24 hours with the help of phishing-specialized cybersecurity firm PhishFort.

Google removes 49 extensions created in Russia

Harry Denley, director of security at wallet provider MyCrypto, identified the fake wallet extensions. According to him, all these extensions have been created in Russia. In several of these cases, the Chrome extensions had fake 5-star reviews trying to trick innocent users into downloading them. The post published by the experts reads:

“We have found a range of extensions targeting brands and cryptocurrency users. Whilst all the extensions function the same, the branding is different depending on the user they are targeting. The brands we’ve found targeted with malicious extensions are:

  • Ledger <>
  • Electrum <>
  • MyEtherWallet <>
  • MetaMask <>
  • Trezor <>
  • Jaxx <>
  • Exodus <>
  • KeepKey <>”

Related: Google Bans Metamask Ethereum Wallet App from Stores

How they operate

These chrome extensions are used to steal private keys, mnemonic phrases, and Keystore files. Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.

Researchers have discovered up to 14 command-and-control (C2) servers that still communicate with the compromised systems. The researchers found that the browsing activity to C2 servers are under the control of attackers.

“Whilst some of the domains are relatively old, 80% of the C2s were registered in March and April 2020 (an even split). The oldest domain ( has the most “connections” to other C2s in terms of fingerprints, so we have some indication of the same backend kit (or same actors behind this) for the majority of the extensions.”

According to the report by the experts;

  • The admin email follows this mask: “b — 0@r —” — potentially indicating Russia-based actors
  • The C2 host files other than those to collect the phished secrets
  • The server used for this C2 is trxsqdmn
  • The first log was 29-Mar-2020 10:43:14 America/New_York

Criminals did not empty each wallet that they had accessed

MyCrypto’s analysis showed that they began to appear on the Web Store in early February 2020, before ramping up in subsequent months.

Research also revealed that the criminals did not empty each wallet that they had accessed. They seemingly targeted just the high-value accounts to optimize their efforts and later stole as much funds as possible.

The presence of data-stealing Chrome extensions in the official Web Store is not a new occurrence. In January 2020, the director of security at MyCrypto, Harry Denley, noticed that the Google Chrome extension by the name Shitcoin Wallet was stealing a lot of sensitive information including passwords and wallet private keys.

Google also removed 500 malicious Chrome extensions in February from its Web Store after discovering that these extensions injected malicious ads and stole sensitive data.

What are your thoughts on Harry Denley’s new report? Do you think that people should be more careful when they try to install new Chrome extensions? Let us know in the comments below!

Share Your Opinion, Write a Comment