newslogical.com
Following series of crypto scam reports on Chrome, Google has ousted 49 extensions on its browser after it was noticed that they are connected to crypto stealing activities.
The extensions disguised as a legitimate crypto wallet, stealing crypto assets of unsuspecting users with malicious codes. The codes were used to extract users’ private keys are other secret information without the user’s permission.
As related by ZDNet, the director of Security at the MyCrypto platform, Harry Denley, said 49 crypto wallet extensions were caught stealing user’s private keys.
“Whilst the extensions all function the same, the branding is different depending on the user they are targeting,” Denley said.
Denley said the extensions were designed to work like real ones, targeting brands and cryptocurrency users. The security researcher listed the brands found targeted by the malicious extensions.
- Ledger <https://www.ledger.com/>
- Trezor <https://trezor.io/>
- Jaxx <https://jaxx.io/>
- Electrum <https://electrum.org/>
- MyEtherWallet <https://myetherwallet.com>
- MetaMask <https://metamask.io>
- Exodus <https://www.exodus.io/>
- KeepKey <https://shapeshift.io/keepkey/>
The malicious extensions include:
Extension ID |
Still Online? |
Targeted wallet |
| afephhbbcdlgdehhddfnehfndnkfbgnm | N | Ledger |
| agfjbfkpehcnceblmdahjaejpnnnkjdn | N | Ledger |
| ahlfiinafajfmciaajgophipcfholmeh | N | MyEtherWallet |
| bhkcgfbaokmhglgipbppoobmoblcomhh | N | Ledger |
| ckelhijilmmlmnaljmjpigfopkmfkoeh | N | MyEtherWallet |
| dbcfhcelmjepboabieglhjejeolaopdl | N | Ledger |
| ddohdfnenhipnhnbbfifknnhaomihcip | N | Ledger |
| dehindejipifeaikcgbkdijgkbjliojc | N | Ledger |
| dkhcmjfipgoapjamnngolidbcakpdhgf | N | Trezor |
| egpnofbhgafhbkapdhedimohmainbiio | N | MyEtherWallet |
| gpffceikmehgifkjjginoibpceadefih | N | Electrum |
| idnelecdpebmbpnmambnpcjogingdfco | N | Ledger |
| ifceimlckdanenfkfoomccpcpemphlbg | N | Electrum |
| igkljanmhbnhedgkmgpkcgpjmociceim | N | Ledger |
| jbfponbaiamgjmfpfghcjjhddjdjdpna | N | MetaMask |
| jfamimfejiccpbnghhjfcibhkgblmiml | N | Trezor |
| jlaaidmjgpgfkhehcljmeckhlaibgaol | N | Exodus |
| lfaahmcgahoalphllknbfcckggddoffj | N | Ledger |
| mcbcknmlpfkbpogpnfcimfgdmchchmmg | N | Ledger |
| mciddpldhpdpibckghnaoidpolnmighk | N | Ledger |
| mjbimaghobnkobfefccnnnjedoefbafl | N | Ledger |
| njhfmnfcoffkdjbgpannpgifnbgdihkl | N | MyEtherWallet |
| oejafikjmfmejaafjjkoeejjpdfkdkpc | N | Ledger |
| opmelhjohnmenjibglddlpmbpbocohck | N | Ledger |
| pbilbjpkfbfbackdcejdmhdfgeldakkn | N | Ledger |
| pcmdfnnipgpilomfclbnjpbdnmbcgjaf | N | MetaMask |
| pedokobimilhjemibclahcelgedmkgei | N | Jaxx |
| plnlhldekkpgnngfdbdhocnjfplgnekg | N | CCB |
| ogaclpidpghafcnbchgpbigfegdbdikj | N | Trezor |
| ijhakgidfnlallpobldpbhandllbeobg | N | MyEtherWallet |
| ifmkfoeijeemajoodjfoagpbejmmnkhm | N | MyEtherWallet |
| epphnioigompfjaknnaokghgcncnjfbe | N | MyEtherWallet |
| gbbpilgcdcmfppjkdociebhmcnbfbmod | N | KeepKey |
| akglkgdiggmkilkhejagginkngocbpbj | N | Trezor |
| ijohicfhndicpnmkaldafhbecijhdikd | N | Ledger |
| noilkpnilphojpjaimfcnldblelgllaa | N | Ledger |
| nicmhgecboifljcnbbjlajbpagmhcclp | N | MyEtherWallet |
| obcfoaeoidokjbaokikamaljjlpebofe | N | Ledger |
| dbcfokmgampdedgcefjahloodbgakkpl | N | Ledger |
| mnbhnjecaofgddbldmppbbdlokappkgk | N | Ledger |
| ahikdohkiedoomaklnohgdnmfcmbabcn | N | Ledger |
| anihmmejabpaocacmeodiapbhpholaom | N | Ledger |
| ehlgimmlmmcocemjadeafmohiplmgmei | N | Ledger |
| effhjobodhmkbgfpgcdabfnjlnphakhb | N | Ledger |
| kjnmimfgphmcppjhombdhhegpjphpiol | N | Ledger |
| glmbceclkhkaebcadgmbcjihllcnpmjh | N | MyEtherWallet |
| bkanfnnhokogflpnhnbfjdhbjdlgncdi | N | Ledger |
| bpfdhglfmfepjhgnhnmclbfiknjnfblb | N | MyEtherWallet |
| bpklfenmjhcjlocdicfadpfppcgojfjp | N | KeepKey |
Source: ZDnet.com
The crypto wallet extensions obtained users information during the configuration steps, and it then sent to attacker’s servers or a Google Form afterward. Denley said after an experimental attempt, his funds were not carted away probably because the hackers are interested in high profile account, or they are yet to find out the way to steal his fund.
Yet Denley, confirmed that the attack is real, urging users to report extensions not listed in the report. The researcher said users can report suspected extensions via CryptoScamDB for proper investigations.
Earlier, NewsLogical reported that about 1.4 million XRP was stolen via a fake “Ledger Live” chrome extensions. The scammers deceived unsuspecting users with campaign ads on Google search.
Denley, in a report on Medium, also confirmed that there are numerous campaigns pushing fake browser extensions to users on Google search engine.