Mystery Hacker Tries to Steal Crypto Through Fake Google Chrome Wallet Extensions

A hacker is exploiting trust in well-known brands by creating fake cryptocurrency wallet extensions for Google Chrome that trick victims into disclosing sensitive information.

Harry Denley, director of security at wallet provider MyCrypto, who identified the fake wallet extensions, said in a report Tuesday that Google has so far removed 49 extensions that purported to be well-known crypto wallets from its Chrome Web Store.

The fake extensions are basic phishing plays. Posing as legitimate wallets, they leak personal information inputted by users, such as private keys and passwords, to the hacker, who can then drain balances in a matter of seconds.

The fakes detected have so far claimed to be wallets such as Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey. Test amounts of crypto sent by Denley have not been picked up, suggesting that either the hacker has to manually empty wallets or that they are only interested in comparatively large balances.

On the Chrome Web Store, most of these apps had consistently good reviews written typically in simplistic or broken English. On the basis that the admin email appears to be a Russian one, it’s possible the hacker could also be based there, Denley noted.

More than half of all malicious extensions reported have claimed to be hardware wallet maker Ledger – nearly double the next largest, MyEtherWallet, which was 22 percent of fake extensions. There’s no obvious reason why the hacker decided to focus so much on Ledger, Denley said in his report.

When asked if there’s a way to prevent hackers from creating new fake extensions, Denley told CoinDesk: “Not really, though Google could use the data from the 49 extensions we’ve flagged to build some detection – though it could be easily bypassed.”

“Most of the malicious extensions had the same structure and same files which could be analysed,” he said. “The only way I can think of limiting the victim pool is by education and normalising the behaviour of not entering raw secrets into [user interfaces].”

Denley has highlighted serious security threats in cryptocurrency wallets before. Last year, he wrote a paper showing how one supposedly secure wallet provider was in fact issuing the same private keys to multiple users.

Denley first detected the fake wallets back in February. Since then, the number of reported phishing attacks has risen exponentially on a month-on-month basis. Because the hacker has not yet been identified, it’s possible they could continue creating fake wallet extensions ad infinitum.