Crypto users left vulnerable via sham Google Chrome extension

Crypto users have discovered a malicious Google Chrome extension designed to steal money by modifying website cookie data.

Binance trader “doomxbt” first noticed the issue in February after noticing a $70,000 loss linked to suspicious activity. The attacker initially deposited the stolen funds into AI-powered crypto exchange SideShift.

I was strangely endangered and @binance the account was emptied, I suddenly heard voice notifications about orders being filled even though I had never placed an order – suddenly my 70 thousand amount suddenly became 0 on the screen pic.twitter.com/NEkSQVbBQc

— 𝔡𝔬𝔬𝔪 (@doomxbt) February 29, 2024

On Tuesday, it was reported that the culprit was linked to a fake Aggr app extension in Google’s Chrome store. Unlike the legitimate Aggr app, which provides professional trading tools such as on-chain liquidation trackers, the malicious version contained code that collected all website cookies from users and allowed hackers to regenerate passwords and user keys specifically for Binance accounts.

⚠️DO NOT DOWNLOAD AGGR CHROME EXTENSION⚠️

We finally found out how @doomxbt He lost his money on Binance.
There’s a malicious Aggr app in the Chrome store with good reviews that steals all the cookies on every website you visit, and 2 months ago someone paid a bunch of influencers… pic.twitter.com/XEPbwKX0XW

— Tree (🌲,🌲) (@Tree_of_Alpha) May 28, 2024

Incompetent due diligence by crypto influencers or an elaborate scam?

When the fake Aggr app became available on the Chrome Store, hackers launched a social media campaign to encourage downloads.

Developers hired a network of influencers to promote the malware, a process known as “shilling.” Social media accounts flooded their timelines with commercial buzzwords to convince users that the tool was needed.

In this case, these influencers either forgot or ignored the popular crypto slogan “do your own research” AKA “DYOR”. It is unknown whether supporters knew that the fake Aggr left users vulnerable or whether social media accounts profited from the attack.

Following the incident, crypto.news reached out to some supporters for comment, but at least one blocked the request.

This incident is part of a larger trend as similar attacks using Chrome extensions have occurred recently. Last month, a trader lost more than $800,000 in digital assets after interacting with two malicious Chrome browser extensions. Users are advised to DYOR and double-check before downloading any app on the devices.

At first glance, the extension is mostly harmless; It imports a small “background.js” file and the popular javascript extension “jquery”. pic.twitter.com/lxFcSvxP4V

— Tree (🌲,🌲) (@Tree_of_Alpha) May 28, 2024