Malicious browser extension campaign steals crypto by swapping wallet addresses

by

Cybersecurity researchers in June flagged an active browser extension campaign called Silent Swap that steals cryptocurrency by replacing wallet addresses in the clipboard, with McAfee Labs saying the activity uses unsigned installers to plant a fake Google Notes extension and has been seen globally, with the highest concentration in India.

KEY FACTS

  • Campaign Silent Swap uses a malicious Chromium extension to swap copied wallet addresses.
  • Delivery Unsigned .NET and Golang installers install the extension and hide it as Google Notes.
  • Technique The report says the malware uses McAfee Labs’ technical report EtherHiding to pull command details from the blockchain.
  • Impact Infections were reported in India, the U.S., Brazil, Indonesia and Spain.
  • Related finding Socket identified fake free VPN extensions for Chrome and Firefox that also steal clipboard data.

The unsigned installer, named BaseZipInstaller, retrieves a ZIP archive and scans for Chromium-based browsers. It then alters browser preference files to force-install the extension and can recalculate security values so the browser treats the tampered settings as legitimate.

The extension requests clipboard, browsing history and all-URLs permissions, then watches for copied wallet addresses tied to Bitcoin, Ethereum, Bitcoin Cash, Ripple and Dash. The report says the server maps each original address to a replacement controlled by the attacker, while Solana addresses resolve to one attacker wallet.

McAfee Labs said the activity overlaps with a prior CountLoader campaign and appears to involve the same threat actor. The extension can also be loaded in developer mode on some browsers, and the installer deletes itself after execution to reduce traces of the initial compromise.

In a separate disclosure from Socket, two browser extensions posing as free VPN tools were found to contain clipboard-stealing code that can exfiltrate passwords, authentication codes, API keys, OAuth tokens and seed phrases. The fake VPN extensions were published first in benign form and later updated with the malicious functions.

WHY IT MATTERS

Clipboard theft can cause irreversible losses in cryptocurrency transfers and can expose other sensitive data if the same browser extension is active. The findings show how threat actors are using staged updates, hidden installation methods and dynamic infrastructure to make malicious extensions harder to spot and remove.