Cryptocurrencies are among the very few innovations of this century that are built on two main principles: Security and Anonymity. So this might come as a shock but hackers have just managed to exploit both these principles with ease. It gets even more surprising because they were able to do this using a tool as simple as google chrome web extension. According to an exclusive report published in ZDNET Google recently red-flagged and removed 49 Chrome extensions from the Web Store. These extensions on paper appeared to be legitimate cryptocurrency wallet apps. But after a closer look, it became evident that they contained malicious code that stole crypto-wallet private keys, mnemonic phrases, and other raw secrets.
The Discovery
All the 49 malicious web extensions were spotted by Harry Denley, Director of Security at the MyCrypto platform. MyCrypto is an open-source, client-side tool for interacting with the blockchain. It gives you a simple interface to use, access, and move those tokens. According to Mr. Denley, all the red-flagged web extensions seem to have been created by the same hacker or a group of a hacker. He was able to claim this based on his findings that all these web extensions had the same functionality but with different brand names. The first detected case was in February and many more came in the month of March. He also claimed that these extensions seem to be originated from Russia as the admin email had the Russian language used in it. On the web store, all these extensions had unrealistically high ratings and reviews with poor and broken English which suggests paid and fake reviews.
The Damage
The fake extensions identified so far claimed to be wallets including Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey. Although the overall damage caused is still unknown but we do have some information based on the tests conducted by Mycrypto security researcher. Any data entered by the victim in these fake extensions during the configuration process is sent to the attacker’s server. Mr. Denley also tried to act like a victim by entering details of test accounts. To his surprise, the funds were not immediately stolen. Based on this he believes that the hackers are either interested in stealing data from high-value accounts only. Or the other plausible explanation he provided is that the hacker group was not able to automate this process and we’re doing the entire work manually, hence the delay.
What’s next?
The identity of hackers is still unknown. The only blow they have received is that their extensions have been taken down. This blow might have subdued them for now, but a possibility of further such activities cant be ignored. As per statistics available, the number of reported malicious extensions are rising exponentially. Experts also believe that there is not much that can be done to prevent hackers from creating more malicious web extensions. Denly iterated that though google can use data collected from these 49 extensions to build a better detection system. But it won’t be much effective against other extensions that are using some other methods of stealing data.
