49 fake Chrome extensions banned over stealing digital currency wallet info

Getting your Trinity Audio player ready...

Google has banned 49 extensions for Chrome, after they were found to be harvesting digital currency wallet information from unsuspecting users.

The malicious third-party extensions were removed from the Web Store following the discovery, including extensions impersonating existing digital currency brands, such as Ledger, Trezor and Electrum.

Other extensions found to be stealing digital currency data included Jaxx, MyEtherWallet, MetaMask, Exodus, and KeepKey.

In a post on Medium, Harry Denley, director of security at MyCrypto said the extensions were a way for hackers to gain access to digital currency wallets: “Essentially, the extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files. Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.”

“We’ve identified 14 unique C2s (also known as a command & control server that continues to communicate with your compromised system) but by using fingerprinting analysis, we can link specific C2s to each other to conclude which of the phishing kits have the same bad actor(s) behind them.”

The extensions have been linked to a single individual or group based in Russia. However, while the extensions were gathering and communicating wallet data, Henley said this was yet to be exploited by the attackers.

“We’ve sent funds to a few addresses and submitted the secrets to the malicious extensions. However, they were not automatically swept,” Denley said.

The fact accounts remain unswept suggests the hacker may be in the process of developing automated processes for stealing digital currency from compromised wallets. At the moment, all those to have used the extensions remain open to theft from their digital currency wallets.

The ban represents only the latest batch of scam browser extensions targeting digital currency wallets. In March, a Chrome extension impersonating Ledger was involved in stealing digital currency worth over $2.5 million.

The individual or group behind the latest banned extensions remains unconfirmed. With the perpetrator still undetected, it is expected that more malicious extensions and thefts could soon follow.