A Google Chrome Extension Steals Crypto-wallet Keys

Google Chrome Extension Steals

Recently, a code was found injected in a Google Chrome extension named “Shitcoin Wallet” for stealing the passwords and private keys cryptocurrency wallets and cryptocurrency portals. This malicious extension was launched on December 9th with Chrome extension ID “ckkgmccefffnbbalkmbbgebbojjogffn”. So far, the extension is still available for download through the official Google Chrome Web Store.  “Shitcoin Wallet” is a Google Chrome extension that allows users to manage both Ether (ETH) coins and Ethereum ERC20-based tokens within their browser or the Windows desktop app. The Ethereum ERC20-based tokens usually issued for ICOs (Initial Coin Offerings). However, this wallet app was found that it contained malicious code on December 31st. This extension can endanger users in 2 ways:

  1. Because the extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet[.]tk, any funds including ETH coins and ERC0-based tokens managed directly inside the extension are at risk.
  2. The extension also actively injects malicious JavaScript code when users navigate to five well-known and popular cryptocurrency management platforms. This code steals login credentials and private keys, data that it’s sent to the same erc20wallet[.]tk third-party website.

Here is the process of getting affected by the malicious code:

  • Users install the Chrome extension
  • Chrome extension requests permission to inject JavaScript (JS) code on 77 websites [listed here]
  • When users navigate to any of these 77 sites, the extension loads and injects an additional JS file from: https://erc20wallet[.]tk/js/content_.js
  • This JS file contains obfuscated code [deobfuscated here]
  • The code activates on five websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange
  • Once activated, the malicious JS code records the user’s login credentials, searches for private keys stored inside the dashboards of the five services, and, finally, sends the data to erc20wallet[.]tk


Contact LIFARS Immediately if Your
Organization was Hit with a Data Breach