Source: Adobe/Aleksei

Google has removed a number of Chrome extensions that were pretending to be crypto wallet apps in order to steal users’ cryptoassets.

A total of 49 extensions of Google’s popular web browser, Chrome, which is the most popular in the world, have been removed by the tech giant from the Web Store as they were stealing crypto wallet keys, according to the report by anti-phishing, computer and network security company PhishFort and the MyCrypto platform.

Here’s the list of extension IDs, and the wallets they impersonated.@sniko_ has been tracking these for three months. All appear to be operated by the same group. pic.twitter.com/TeRZa68vBA — Catalin Cimpanu (@campuscodi) April 14, 2020

How do they do it? The report explains that they found “big campaigns pushing fake browser extensions to users and targeting well-known brands via Google Ads and other channels.” The extensions function the same, but the branding is new, changed based on the targeted user. This means that they pose like crypto wallet apps – including Ledger, Trezor, MyEtherWallet, MetaMask, and other major wallets – but that they contain malicious code used to steal private keys, mnemonic phrases, keystore files, and other information. The extension acts as a genuine wallet app would, but when a secret info is typed in, it’s sent to the server controlled by the scammer, while the user gets the default view. This makes the user either submit the same or different secret again in frustration, or uninstalling the app, forgetting about it until the funds are drained, at which point the app is already likely removed from the store.

The funds are not stolen right away though, the report explains, likely because either the attacker hasn’t been able to automate the thefts, or they’re interested only in high-value accounts. The companies concluded that each of the 49 may have been created by the same person(s), possibly “a Russian-based actor.”

Importantly, the scammer is still free to make more of these extensions, and the report urges users to report suspicious extensions, while also providing advice on how to stay safe.

Check out how a malicious extension targeting MyEtherWallet users works.

[embedded content]

Source