Mystery Hacker Tries to Steal Crypto Through Fake Google Chrome Wallet Extensions

Google has removed 49 Chrome extensions masquerading as legitimate crypto wallets including Ledger, MyEtherWallet, MetaMask and Jaxx, according to MyCrypto's Harry Denley.

AccessTimeIconApr 16, 2020 at 8:00 a.m. UTC
Updated Sep 14, 2021 at 8:29 a.m. UTC

A hacker is exploiting trust in well-known brands by creating fake cryptocurrency wallet extensions for Google Chrome that trick victims into disclosing sensitive information.

Harry Denley, director of security at wallet provider MyCrypto, who identified the fake wallet extensions, said in a report Tuesday that Google has so far removed 49 extensions purporting to be well-known crypto wallets from its Chrome Web Store.

The fake extensions are basic phishing ploys. Posing as legitimate wallets, they leak personal information inputted by users, such as private keys and passwords, to the hacker, who can then drain balances in a matter of seconds.

The fakes detected have so far claimed to be wallets including Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus and KeepKey. Test amounts of crypto sent by Denley have not been picked up, suggesting that either the hacker has to manually empty wallets or they are only interested in comparatively large balances.

On the Chrome Web Store most of these apps had consistently good reviews written typically in simplistic or broken English. On the basis that the admin email appears to be a Russian one, it's possible the hacker could also be based there, Denley noted.

More than half of all malicious extensions reported have claimed to be hardware wallet maker Ledger – nearly double the next largest, MyEtherWallet, which was 22 percent of fake extensions. There's no obvious reason why the hacker decided to focus so much on Ledger, Denley said in his report.

When asked if there's a way to prevent hackers from creating new fake extensions, Denley told CoinDesk: "Not really, though Google could use the data from the 49 extensions we've flagged to build some detection – though it could be easily bypassed."

"Most of the malicious extensions had the same structure and same files which could be analysed," he said. "The only way I can think of limiting the victim pool is by education and normalising the behaviour of not entering raw secrets into [user interfaces]."

Denley has highlighted serious security threats in cryptocurrency wallets before. Last year, he wrote a paper showing how one supposedly secure wallet provider was in fact issuing the same private keys to multiple users.

Denley first detected the fake wallets in February. Since then, the number of reported phishing attacks has risen exponentially on a month-on-month basis. Because the hacker has not yet been identified, it's possible they could continue creating fake wallet extensions ad infinitum.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.