Google recently pulled down 49 crypto wallet browser extensions, which were found to be stealing private keys from users. Harry Denley, a security researcher, uncovered the theft. According to a medium post he published, the extensions were targeting crypto wallets users such as those using Trezor, Ledger, Electrum, Jaxx, Metamask, Exodus, Keepkey, and Myetherwallet. Denley works at Mycrypto, where he is the director of security.
According to Denley, the extensions were posing as genuine crypto wallet extensions. However, malicious code had been embedded in them, which enabled them to steal private keys, Keystore files, and mnemonic phrases. The extensions would harvest data as users went through the configurations steps for the wallet. They would then send the data to one of the servers operated by the hackers to a Google Form. Some of the fake extensions had fake users, which meant that they were highly rated. Denley believes that all the extensions are tied to one person or a single group working together. He added that the person or group was likely based in Russia.
Most Targeted Wallet
While the hackers targeted several wallets, they appeared to have a favorite. According to the study, Ledger was the most targeted at 57% by the extensions. Myetherwallet was the second most favorite for the hackers at 22%, Trezor followed closely at 8%, Electrum and Keepkey at 4% and Jaxx was the least favorite at 2%.
A Test of the Wallets
During his research, Denley sent funds to some of the addresses. However, he found that the funds were not automatically moved. As a result, he concluded that either the hackers were only interested in high-value accounts or they had to empty the addresses manually. Additionally, he noted that most of the malicious extensions began to appear on Google Chrome in February. Over time, they have grown and the rate at which they are being released has gone up in April. According to the medium post, once he reported the issue to Google, all the malicious extensions were taken down within 24 hours.