Google has removed 49 Chrome extensions from the Web Store that posed as legitimate wallet apps for cryptocurrency. The extensions contained malicious code that stole private keys from crypto wallets and other secrets from unsuspecting users.
The Chrome extensions mimic wallet apps such as Ledger, MyEtherWallet, Trezor and other apps. The 49 extensions were discovered by Harry Denley, Director of Security at MyCrypto, and released through ZDNet. Denley says the extensions appear to have been compiled by the same person or group, presumably a Russian-based actor. “Although the extensions all work the same, the branding differs depending on the users they target,” says Denley.
The fake extensions all worked pretty much the same as the real versions. However, any data that a victim enters during configuration is sent to one of the hacker’s servers or to a Google form. User accounts, however, are not immediately stolen. In a controlled experiment, Denley said that he had entered the login details of a test account in one of the fake extensions, but the money wasn’t stolen immediately. Denley believes that the person or group responsible for the extensions is only interested in stealing high-value accounts, or that the hacker has not figured out how to automate the thefts.
Denley was able to link a number of public incidents to some of the 49 extensions he discovered. Unfortunately, victims cannot recover the stolen money because of the properties of most cryptocurrencies.
More malicious extensions are expected to appear in the Web Store in the coming months. Denley now also encourages users to report on CryptoScamDB if they feel that a Chrome extension is stealing money. These reports help experts to detect and remove malicious extensions from the Chrome Web Store.