The Ethereum wallet Shitcoin Wallet steals passwords and private keys for crypto wallets, according to Harry Denley, director of security at wallet company MyCrypto. With that information, says Denley, those behind the wallet would have access to their users’ cryptocurrencies.

Shitcoin Wallet, which launched late last year, is downloadable as an extension for Google Chrome. It invites users to create wallets, which they can then unlock with private keys or an authentication certificate. Shitcoin Wallet claims that these keys are encrypted, meaning the service shouldn’t be able to read them.

But Denley wrote on Twitter that it is injecting malicious javascript code to steal information. This, according to Denley, occurs in two ways. First, the extension snoops for credentials of any wallet created within the extension. Second, when users access Myetherwallet, Idex, Switcheo or NeoTracker, the extension steals log-in credentials and private keys.

Shitcoin Wallet has since been listed on the domain warning list for the popular in-browser Ethereum dapp interface, MetaMask. “MetaMask believes this domain could currently compromise your security and, as an added safety feature, MetaMask has restricted access to the site,” states the message by MetaMask that pops up when entering the website for Shitcoin Wallet.

Luckily, Shitcoin Wallet only has 625 users, according to the extension’s listing on the Chrome Web Store. One of them is already upset: “It steals your login data and your tokens do not download it is a scam,” commented Tony Nicklow today in a one-star review.