This Trader Reportedly Lost $800k in Crypto Through Malicious Chrome Extensions

An anonymous cryptocurrency investor with the username “Sell When Over” on X has reported a loss of $800,000 due to two allegedly malicious Google Chrome browser extensions.

The investor first raised the alarm with a post on X, revealing that they had discovered a loss of $500,000 from multiple wallet applications.

Chrome Extension Attack Leads to $800k Loss

“Think I got extension attacked, with two suspicious extensions that appeared on my Chrome browser,” they disclosed. Further investigation by the victim uncovered the extent of the compromise, amounting to a loss of $800,000. They suspected a compromise in their Google Chrome browser, potentially involving a keylogger targeting specific crypto wallet extensions.

Total compromise appears to be about $800k. I suspect this was a Google chrome compromise containing a possible keylogger targeting specific wallet extension apps (either due to a Chrome vulnerability due to me delaying regular updates or getting malware that wasn’t detected by… pic.twitter.com/yMJfHAFzQo

— Sell When Over | 9000.sei (@sell9000) April 8, 2024

Several weeks prior, the trader repeatedly postponed an update for Google Chrome. However, a mandatory Windows update eventually forced a system restart. Upon relaunching Chrome, they noticed that all their tabs had disappeared and extension logins had been reset.

Following the incident, the victim was forced to re-enter all their credentials on Chrome and manually reimport seed phrases for their cryptocurrency wallets from a separate secure device.

The user suspects that the keylogger compromised their sensitive information, leading to funds being drained afterward. The user also did not observe any abnormal behavior in their browser following the restart, with their virus scanner indicating no issues and no other suspicious extensions.

Chrome Extensions Identified as Keyloggers

After the preliminary investigation, they identified two suspicious extensions – “Sync test beta” and “Simple Game” and an auto Korean translation setting enabled in Chrome.

The user remained unsure how exactly their Chrome browser was compromised but confirmed that the “Sync test BETA” extension was a keylogger. Meanwhile, “Simple Game” appeared to monitor tab activities and communicate with an external site’s PHP script.

“This is an $800k costly mistake – lesson is if anything seems off such that it prompts you to input a seed, then wipe the whole PC first,” the trader cautioned.

They also explained that their guard had been down because the update coincided with a major Chrome update, which included changes to the user selection process and the sign-in interface with Google. This led them to think that the reset of extensions and the loss of tabs were due to this significant update.

As of the latest update, the attackers have reportedly transferred the funds to two exchanges: MEXC, located in Singapore, and Gate.io, headquartered in the Cayman Islands.