A total of 1.4 million XRP, worth over $160,000 at press time, have reportedly been stolen from users via a malicious Google Chrome extension.

According to the forensics team of XRP ledger explorer xrplorer, the 1.4 million XRP tokens were stolen over the last month, as hackers use fake “Ledger Live” Google Chrome extensions to trick users into believing they will be able to use them to manage their funds in cold storage, when in reality they’re giving hackers access to their funds.

Per the researchers, the hackers manage to get users to install the extensions by using Google to advertise them, and coordinate their data via Google Docs. The figures related to XRP only, but other cryptocurrencies may also be targeted.

The forensics team added that most of the stolen XRP is still in addresses on the blockchain, and that what has been cashed out went through popular cryptocurrency exchange HitBTC. Earlier this month, it had flagged XRP accounts with “close to 300 million XRP” as fraudulent, with most of the funds being from the PlusToken scam.

As CryptoGlobe reported, Ledger has in the past warned against fake Chrome extensions using its name and asking users to enter their 24-word recovery phrases. On social media, the firm asked users to never share their recovery phrases or enter them into any internet-connect device.

Malicious Chrome extension caught stealing Ledger wallet recovery seeds > Stolen Ledger seed phrases will allow attacker to recover Ledger wallet content on another device — gain access to the victim’s cryptocurrency private keyshttps://t.co/0GqLzNhpSn pic.twitter.com/zCa8xVmUrx — Catalin Cimpanu (@campuscodi) March 5, 2020

If a user enters its recovery phrase on a malicious extension, the hacker behind it will have access to it. With the seed phrase, the attacker simply has to recover the Ledger wallet’s content on another device and move the funds to a wallet under its control.

As Ledger is a popular hardware wallet provider, it has in the past even dealt with “highly targeted” malware that locally replaced users’ Ledger Live desktop applications with malicious ones to steal their funds.