Exclusive: Google removes 49 Chrome extensions caught stealing crypto-wallet keys

The Chrome extensions were mimicking cryptocurrency wallet apps like Ledger, MyEtherWallet, Trezor, Electrum, and others, but, in reality, they were stealing users' private keys and mnemonic phrases.

Chrome extensions

Google has removed 49 Chrome extensions from the Web Store that posed as legitimate cryptocurrency wallet apps but contained malicious code that stole crypto-wallet private keys, mnemonic phrases, and other raw secrets.

The 49 extensions were discovered by Harry Denley, Director of Security at the MyCrypto platform, who shared his findings exclusively with ZDNet last week.

Denley says the 49 extensions appear to have been put together by the same person/group, believed to be a Russian-based threat actor.

"Whilst the extensions all function the same, the branding is different depending on the user they are targeting," Denley said.

The MyCrypto security researcher says he has identified malicious extensions posing as known crypto-wallets apps such as Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey.

The malicious extensions all worked nearly identically to the real ones; however, any data a victim enters during the configuration steps is sent to one of the attacker's servers or a Google Form.

However, thefts from user's accounts don't happen right away. In a controlled experiment, Denley said he entered the credentials of a test account into one of the malicious extensions, yet, the funds were not immediately stolen.

Denley believes that the threat actor is interested in stealing funds from high-value accounts only, or the attacker hasn't figured out how to automate the thefts and has to access each account manually.

Nonetheless, Denley says that thefts are happening. The researcher has tied some publicly reported incidents[1, 2, 3] to some of the 49 extensions he has been recently tracking. Unfortunately, due to the nature of most cryptocurrencies, victims cannot recovered any of the stolen funds.

Furthermore, since the threat actor behind this campaign is still at large other malicious extensions are expected to crop up on the Web Store in the coming months.

Denley is now encouraging users to file reports on the CryptoScamDB if they believe any of their Chrome extensions might be behind future wallet hacks and lost funds. Such reports help Denley and others to track down malicious extensions faster and have them taken down from the Chrome Web Store.

Statistics, indicators of compromise, and other details on this campaign are available in Denley's investigation, to go live later today on Medium.

Extension ID
Still Online?Targeted wallet
afephhbbcdlgdehhddfnehfndnkfbgnmNLedger
agfjbfkpehcnceblmdahjaejpnnnkjdnNLedger
ahlfiinafajfmciaajgophipcfholmehNMyEtherWallet
bhkcgfbaokmhglgipbppoobmoblcomhhNLedger
ckelhijilmmlmnaljmjpigfopkmfkoehNMyEtherWallet
dbcfhcelmjepboabieglhjejeolaopdlNLedger
ddohdfnenhipnhnbbfifknnhaomihcipNLedger
dehindejipifeaikcgbkdijgkbjliojcNLedger
dkhcmjfipgoapjamnngolidbcakpdhgfNTrezor
egpnofbhgafhbkapdhedimohmainbiioNMyEtherWallet
gpffceikmehgifkjjginoibpceadefihNElectrum
idnelecdpebmbpnmambnpcjogingdfcoNLedger
ifceimlckdanenfkfoomccpcpemphlbgNElectrum
igkljanmhbnhedgkmgpkcgpjmociceimNLedger
jbfponbaiamgjmfpfghcjjhddjdjdpnaNMetaMask
jfamimfejiccpbnghhjfcibhkgblmimlNTrezor
jlaaidmjgpgfkhehcljmeckhlaibgaolNExodus
lfaahmcgahoalphllknbfcckggddoffjNLedger
mcbcknmlpfkbpogpnfcimfgdmchchmmgNLedger
mciddpldhpdpibckghnaoidpolnmighkNLedger
mjbimaghobnkobfefccnnnjedoefbaflNLedger
njhfmnfcoffkdjbgpannpgifnbgdihklNMyEtherWallet
oejafikjmfmejaafjjkoeejjpdfkdkpcNLedger
opmelhjohnmenjibglddlpmbpbocohckNLedger
pbilbjpkfbfbackdcejdmhdfgeldakknNLedger
pcmdfnnipgpilomfclbnjpbdnmbcgjafNMetaMask
pedokobimilhjemibclahcelgedmkgeiNJaxx
plnlhldekkpgnngfdbdhocnjfplgnekgNCCB
ogaclpidpghafcnbchgpbigfegdbdikjNTrezor
ijhakgidfnlallpobldpbhandllbeobgNMyEtherWallet
ifmkfoeijeemajoodjfoagpbejmmnkhmNMyEtherWallet
epphnioigompfjaknnaokghgcncnjfbeNMyEtherWallet
gbbpilgcdcmfppjkdociebhmcnbfbmodNKeepKey
akglkgdiggmkilkhejagginkngocbpbjNTrezor
ijohicfhndicpnmkaldafhbecijhdikdNLedger
noilkpnilphojpjaimfcnldblelgllaaNLedger
nicmhgecboifljcnbbjlajbpagmhcclpNMyEtherWallet
obcfoaeoidokjbaokikamaljjlpebofeNLedger
dbcfokmgampdedgcefjahloodbgakkplNLedger
mnbhnjecaofgddbldmppbbdlokappkgkNLedger
ahikdohkiedoomaklnohgdnmfcmbabcnNLedger
anihmmejabpaocacmeodiapbhpholaomNLedger
ehlgimmlmmcocemjadeafmohiplmgmeiNLedger
effhjobodhmkbgfpgcdabfnjlnphakhbNLedger
kjnmimfgphmcppjhombdhhegpjphpiolNLedger
glmbceclkhkaebcadgmbcjihllcnpmjhNMyEtherWallet
bkanfnnhokogflpnhnbfjdhbjdlgncdi
NLedger
bpfdhglfmfepjhgnhnmclbfiknjnfblbNMyEtherWallet
bpklfenmjhcjlocdicfadpfppcgojfjpNKeepKey