Google recently banned 49 phishing extensions to Google’s Chrome web browser after it received reports of all its activity.

Harry Denley, director of security at cryptocurrency wallet startup MyCrypto, explained in an April 14 Medium post how he got the extensions removed from Chrome store within 24 hours with the help of phishing-specialized cybersecurity firm PhishFort.

The removed extensions include those that targeted the owners of Ledger, Trezor, and KeepKey created hardware wallets. Moreover, the users of Jaxx, MyEtherWallet, Metamask, Exodus and Electrum software wallets.

The extensions prompted users to enter the credentials. Those required for accessing the wallet such as mnemonic phrases, private keys, and Keystore files. And sent them to bad actors. The crypto-assets found in the wallets stolen by hackers.

Several of the extensions also had fake 5-star ratings in the Chrome extension store. However, the reviews included little to no details ranging from “nice,” “helpful app” to “legit extension”. One of the extensions allegedly had the same review copied and pasted by different users eight times.

The copypasta included an introduction to Bitcoin (BTC) and explained why the preferred wallet alternative was MyEtherWallet-the targeted wallet of the extension. It is worth noting that MyEtherWallet does not support Bitcoin as well.

One bad actor controlled most of the extensions

The investigation discovered 14 control servers behind all the extensions. However, the study of fingerprinting found that some of the domains run by the same bad actors. With the oldest domain connected to several other control domains. Denley later concluded that most of the extensions had the same problematic actors behind them.

Many of the domains used in the phishing campaigns were fairly old. However, in March and April 2020, 80 percent of them registered. Most of the addons released this month on Chrome’s website.

Not the first phishing extensions intended for crypto users

This is not the first time the group has come across a malicious Google Chrome browser extension. That was targeting users using crypto. A Redditor warned the community that after falling victim to a fake Ledger extension he lost some crypto-assets.

Google Chrome extensions targeting crypto users are so common, that earlier this month MyEtherWallet warned its user that its official extension was disabled for supposedly malware-containing. Fortunately, soon after the team contacted Google to fix the problem, the extension was restored.