Mystery Hacker Tries to Steal Crypto Through Fake Google Chrome Wallet Extensions

Google has removed 49 Chrome extensions masquerading as legitimate crypto wallets including Ledger, MyEtherWallet, MetaMask and Jaxx, according to MyCrypto's Harry Denley.

AccessTimeIconApr 16, 2020 at 8:00 a.m. UTC
Updated Sep 14, 2021 at 8:29 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

A hacker is exploiting trust in well-known brands by creating fake cryptocurrency wallet extensions for Google Chrome that trick victims into disclosing sensitive information.

Harry Denley, director of security at wallet provider MyCrypto, who identified the fake wallet extensions, said in a report Tuesday that Google has so far removed 49 extensions purporting to be well-known crypto wallets from its Chrome Web Store.

The fake extensions are basic phishing ploys. Posing as legitimate wallets, they leak personal information inputted by users, such as private keys and passwords, to the hacker, who can then drain balances in a matter of seconds.

The fakes detected have so far claimed to be wallets including Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus and KeepKey. Test amounts of crypto sent by Denley have not been picked up, suggesting that either the hacker has to manually empty wallets or they are only interested in comparatively large balances.

On the Chrome Web Store most of these apps had consistently good reviews written typically in simplistic or broken English. On the basis that the admin email appears to be a Russian one, it's possible the hacker could also be based there, Denley noted.

More than half of all malicious extensions reported have claimed to be hardware wallet maker Ledger – nearly double the next largest, MyEtherWallet, which was 22 percent of fake extensions. There's no obvious reason why the hacker decided to focus so much on Ledger, Denley said in his report.

When asked if there's a way to prevent hackers from creating new fake extensions, Denley told CoinDesk: "Not really, though Google could use the data from the 49 extensions we've flagged to build some detection – though it could be easily bypassed."

"Most of the malicious extensions had the same structure and same files which could be analysed," he said. "The only way I can think of limiting the victim pool is by education and normalising the behaviour of not entering raw secrets into [user interfaces]."

Denley has highlighted serious security threats in cryptocurrency wallets before. Last year, he wrote a paper showing how one supposedly secure wallet provider was in fact issuing the same private keys to multiple users.

Denley first detected the fake wallets in February. Since then, the number of reported phishing attacks has risen exponentially on a month-on-month basis. Because the hacker has not yet been identified, it's possible they could continue creating fake wallet extensions ad infinitum.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.