Coindesk Logo

Mystery Hacker Tries to Steal Crypto Through Fake Google Chrome Wallet Extensions

Mystery Hacker Tries to Steal Crypto Through Fake Google Chrome Wallet Extensions

Mystery Hacker Tries to Steal Crypto Through Fake Google Chrome Wallet Extensions

Google has removed 49 Chrome extensions masquerading as legitimate crypto wallets including Ledger, MyEtherWallet, MetaMask and Jaxx, according to MyCrypto's Harry Denley.

Google has removed 49 Chrome extensions masquerading as legitimate crypto wallets including Ledger, MyEtherWallet, MetaMask and Jaxx, according to MyCrypto's Harry Denley.

Google has removed 49 Chrome extensions masquerading as legitimate crypto wallets including Ledger, MyEtherWallet, MetaMask and Jaxx, according to MyCrypto's Harry Denley.

AccessTimeIconApr 16, 2020, 8:00 AM
Updated Aug 18, 2021, 11:39 AM

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

A hacker is exploiting trust in well-known brands by creating fake cryptocurrency wallet extensions for Google Chrome that trick victims into disclosing sensitive information.

Harry Denley, director of security at wallet provider MyCrypto, who identified the fake wallet extensions, said in a report Tuesday that Google has so far removed 49 extensions purporting to be well-known crypto wallets from its Chrome Web Store.

The fake extensions are basic phishing ploys. Posing as legitimate wallets, they leak personal information inputted by users, such as private keys and passwords, to the hacker, who can then drain balances in a matter of seconds.

The fakes detected have so far claimed to be wallets including Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus and KeepKey. Test amounts of crypto sent by Denley have not been picked up, suggesting that either the hacker has to manually empty wallets or they are only interested in comparatively large balances.

On the Chrome Web Store most of these apps had consistently good reviews written typically in simplistic or broken English. On the basis that the admin email appears to be a Russian one, it's possible the hacker could also be based there, Denley noted.

More than half of all malicious extensions reported have claimed to be hardware wallet maker Ledger – nearly double the next largest, MyEtherWallet, which was 22 percent of fake extensions. There's no obvious reason why the hacker decided to focus so much on Ledger, Denley said in his report.

When asked if there's a way to prevent hackers from creating new fake extensions, Denley told CoinDesk: "Not really, though Google could use the data from the 49 extensions we've flagged to build some detection – though it could be easily bypassed."

"Most of the malicious extensions had the same structure and same files which could be analysed," he said. "The only way I can think of limiting the victim pool is by education and normalising the behaviour of not entering raw secrets into [user interfaces]."

Denley has highlighted serious security threats in cryptocurrency wallets before. Last year, he wrote a paper showing how one supposedly secure wallet provider was in fact issuing the same private keys to multiple users.

Denley first detected the fake wallets in February. Since then, the number of reported phishing attacks has risen exponentially on a month-on-month basis. Because the hacker has not yet been identified, it's possible they could continue creating fake wallet extensions ad infinitum.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.