Two malicious Google Chrome browser extensions allegedly drained $800,000 from a cryptocurrency investor going by the moniker “Sell When Over” on X.
In a series of posts on X, the user speculated that the malicious extensions dubbed “Sync test BETA (colorful)” and “Simple Game” possibly contained Keyloggers that target specific wallet extension apps.Keyloggers are malicious applications used by cyber criminals to record every keystroke of a target’s computer. This allows the attackers to access confidential information from a victim’s computer.
According to the user, the issue initially surfaced after Google Chrome released an update last month. The user, who had been delaying the Chrome update, was forced to restart their computer after Windows released a PC update.
Interestingly, following the restart, which is a common step when installing operating system updates, all of the user’s extensions on Chrome were logged out, and all their tabs were gone. This forced the user to re-enter all their credentials on Chrome, along with their seed phrases for their cryptocurrency wallets.
The user speculates that this is when their confidential information was compromised via the keylogger. The funds were reportedly drained three weeks after this event. Further, the user did not notice any unusual activity in their browser following the restart.
“I checked my virus scanner and there were no issues. No additional weird extensions appeared. I proceeded to re-import my seed phrases,” the user wrote.
It was only during a later investigation that the user discovered the two malicious extensions on their system. Further, their browser also had Google Translate set up to auto-translate to Korean.
You might also like: Trader loses over $674K to phishing scam
As of the latest update, the attackers reportedly sent the funds to two exchanges, the Singapore-based MEXC exchange and the Cayman Islands-headquartered Gate.io.
While the user remained unsure how exactly their Chrome browser was compromised, their analysis confirmed that the Sync test BETA (colorful) extension was a keylogger. The extension was reportedly sending data to an external website’s PHP script. The attacker’s website, when opened manually, shows a blank page with only “Hi” written on it. Meanwhile, the “Simple game” extension was “checking if tabs are updated/open/closed/refreshed,” the user added.
“This is a $800k costly mistake — lesson is if anything seems off such that it prompts you to input a seed, then wipe the whole PC first,” Sell When Over wrote.
At the time of publication, neither of the extensions showed up on the Chrome Web store.
Malicious extensions on Google Chrome have been plaguing the cryptocurrency sector for years. In a 2023 report, cybersecurity researchers revealed that hackers were employing a chrome malware dubbed Rilide to steal sensitive data and cryptocurrency from unsuspecting victims. The malware was used to deploy rouge browser extensions capable of draining crypto funds.
As previously reported by Crypto.news, another piece of Windows malware was discovered in late 2022. It used Google Chrome extensions to steam cryptocurrencies and clipboard data. The extensions could edit HTML on websites to display the actual user funds in a wallet while draining the wallet in the background.
Read more: Binance user loses $70k in hack, support says email provider to blame