A Chrome extension discovered that steals crypto wallet private keys

Recently, a Google Chrome extension was found to inject malicious JavaScript code into web pages. This code allowed the extension to steal various passwords and private keys of users' Bitcoin wallets and cryptocurrency portals.

The extension, which has a rather indecent name, is called “Shitcoin Wallet” and has an extension ID of “ckkgmccefffnbbalkmbbgebbojjogffn.” The extension was launched on December 9 last year.

In a blog post introducing the extension, the team described Shitcoin Wallet as a wallet that allows users to buy Ethereum and manage it properly. In addition, Shitcoin Wallet also supports ERC20-based tokens, which are usually distributed through initial coin offerings (ICOs).

If this Google Chrome extension was harmless, it would serve an important purpose. Users can install the extension and manage Ethereum and its ERC-20 tokens in their browser. In addition, if users want to manage their funds outside the high-risk environment of the browser, they can also install a Windows desktop application.

However, things started to go wrong and Harry Denley became the cause of the incident. Denley was the security director of the MyCrypto platform and he found malicious code inside the extension. It seems that nothing can exist only for the benefit of all mankind.

Denley explained that the extension presents two significant dangers. First, any funds managed directly within the extension are at risk. This is because the extension sends the private keys of any wallets managed or created within its interface to a third-party website located at the address “erc20wallet[.]tk.”

The second key issue is that when users visit five well-known cryptocurrency management platforms, the extension actively injects JavaScript code. By injecting malicious code, the extension steals the private keys and login details of these platforms and sends them to the same third-party website.

A detailed analysis of the code revealed that the entire process is divided into multiple steps. First, the user installs the extension, which then requests permission to inject more JavaScript code on 77 websites. When the user visits one of these 77 websites, the extension loads and injects another JavaScript file from "https://erc20wallet[.]tk/js/content_.js". This file contains obfuscated code and is activated on the following five websites:
MyEtherWallet.com,
Idex.Market,
Binance.org,
NeoTracker.io and
Switcheo.exchange. The code then records the private key and login information created by the user and sends it to a third-party website.

Please join our Telegram channel to get the latest news coverage.