In a recent series of posts on X, a user shared their ordeal after falling victim to malicious Chrome extensions, suspected to contain keyloggers targeting specific wallet extension apps.
The user speculated that the extensions named “Sync test BETA (colorful)” and “Simple Game” may have contained keyloggers, which are nefarious applications used by cybercriminals to record every keystroke on a target’s computer, thus accessing confidential information.
The issue came to light after Google Chrome released an update, prompting the user to restart their computer following a Windows update. Subsequently, all Chrome extensions were logged out, and the user had to re-enter credentials, including seed phrases for cryptocurrency wallets. Three weeks later, the user discovered their funds had been drained.
Despite no noticeable unusual activity in their browser post-restart, a later investigation revealed the presence of the two malicious extensions on their system. The user’s browser was also set up for auto-translation to Korean via Google Translate.
The attackers reportedly sent the funds to two exchanges: the Singapore-based MEXC exchange and the Cayman Islands-headquartered Gate.io. Further analysis confirmed that the “Sync test BETA (colorful)” extension was indeed a keylogger, sending data to an external website’s PHP script.
“This is an $800k costly mistake — lesson is if anything seems off such that it prompts you to input a seed, then wipe the whole PC first,” the user advised.
At the time of publication, neither of the extensions were available on the Chrome Web store.
Malicious Chrome extensions have long been a concern in the cryptocurrency sector. In a 2023 report, cybersecurity researchers unveiled the use of Chrome malware dubbed Rilide to steal sensitive data and cryptocurrency. Similarly, in late 2022, another Windows malware was discovered, utilizing Google Chrome extensions to pilfer cryptocurrencies and clipboard data. These extensions were capable of manipulating HTML on websites, displaying the actual user funds while draining the wallet in the background.
