Trader loses $800,000 in cryptocurrency due to malicious Google Chrome extension

Keyloggers are malicious applications used by cyber criminals to record every keystroke of a target’s computer. According to the user, the issue initially surfaced after Google Chrome released an update last month. The user, who had been delaying the Chrome update, was forced to restart their computer after Windows released a PC update.

Interestingly, following the restart, which is a common step when installing operating system updates, all of the user’s extensions on Chrome were logged out, and all their tabs were gone. This forced the user to re-enter all their credentials on Chrome, along with their seed phrases for their cryptocurrency wallets. The user speculates that this is when their confidential information was compromised via the keylogger.

The funds were reportedly drained three weeks after this event. Further, the user did not notice any unusual activity in their browser following the restart. “I checked my virus scanner and there were no issues.

No additional weird extensions appeared. I proceeded to re-import my seed phrases,” the user wrote. It was only during a later investigation that the user discovered the two malicious extensions on their system.

Further, their browser also had Google Translate set up to auto-translate to Korean. While the user remained unsure how exactly their Chrome browser was compromised, their analysis confirmed that the Sync test BETA (colorful) extension was a keylogger. The extension was reportedly sending data to an external website’s PHP script.

The attacker’s website, when opened manually, shows a blank page with only “Hi” written on it. Meanwhile, the “Simple game” extension was “checking if tabs are updated/open/closed/refreshed,” the user added. “This is a $800k costly mistake — lesson is if anything seems off such that it prompts you to input a seed, then wipe the whole PC first,” Sell When Over wrote.

Malicious extensions on Google Chrome have been plaguing the cryptocurrency sector for years. The malware was used to deploy rouge browser extensions capable of draining crypto funds. It used Google Chrome extensions to steal cryptocurrencies and clipboard data.

The extensions could edit HTML on websites to display the actual user funds in a wallet while draining the wallet in the background.

Leave a Reply

Your email address will not be published. Required fields are marked *