22 MORE CRYPTO-STEALING GOOGLE CHROME EXTENSIONS DISCOVERED

Last updated: June 19, 2025, 20:05 | Written by: Fred Ehrsam

The seemingly endless battle against malicious browser extensions continues as another wave of crypto-stealing Google Chrome extensions has been discovered. The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, crypto, banking and more to direct users to install corresponding Fake Chrome Extensions on Google s Chrome Web Store, according to the DomainTools Intelligence team s report.Imagine thinking your crypto assets are safe, only to find out that a seemingly harmless browser extension has been silently siphoning them away.Security researcher Harry Denley, reported by Naked Security, uncovered a staggering 22 new extensions designed solely to steal users' cryptocurrencies.This discovery highlights the persistent threat posed by malicious actors exploiting the Chrome Web Store to distribute malware. News . All; eCNY; Bitcoin; Ethereum; Altcoins; Blockchains; Business; FTX will be the last giant to fall this cycle: Jessica 0 11These extensions often masquerade as legitimate tools or utilities, making it difficult for the average user to distinguish them from the real deal.The implications are severe, potentially leading to significant financial losses for unsuspecting victims.This article delves into the details of this latest threat, exploring how these extensions operate, which wallets are targeted, and most importantly, what you can do to protect yourself from becoming the next victim.Stay vigilant – your crypto could depend on it!

The Anatomy of the Crypto-Stealing Chrome Extensions

These malicious Chrome extensions are not simply annoying pop-up ads; they are sophisticated tools designed to silently infiltrate your browser and compromise your cryptocurrency holdings.They achieve this through a variety of methods, often working in tandem to maximize their effectiveness.

Impersonating Legitimate Services

One of the most common tactics used by these extensions is to impersonate legitimate and popular cryptocurrency-related services.This includes mimicking well-known crypto wallets like MetaMask, Trust Wallet, and Coinbase Wallet.By using similar logos, names, and user interfaces, they trick users into believing they are installing a genuine extension from a trusted provider.Other extensions impersonate productivity tools, VPN services or even AI assistants, luring users in under false pretenses.

Example: A user might search for ""MetaMask extension"" in the Chrome Web Store and, without carefully examining the developer or reviews, accidentally install a fake extension that looks almost identical to the real one. A widespread campaign targeting Chrome browser users is using over 100 malicious extensions to steal data, inject remote scripts, and manipulate network traffic through the Google Chrome Web Store. These extensions mimic popular brands such as Fortinet, YouTube, DeepSeek AI, and Calendly.Once installed, this fake extension can intercept transactions, steal private keys, or redirect funds to the attacker's wallet.

Targeting Crypto Wallets

These extensions are specifically designed to target crypto wallets, seeking to steal sensitive information and gain control over user funds. 22 More Crypto-Stealing Google Chrome Extensions Discovered Open in App. Get 45% Off 22 More Crypto-Stealing Google Chrome Extensions Discovered. Cryptocurrency. Published, .The 22 newly discovered extensions are reported to target at least 20 different crypto wallet extensions. Un ricercatore ha scoperto altre 22 estensioni per Google Chrome il cui unico scopo quello di rubare le criptovalute degli utenti. Come riportato dal portale d'informazione Naked Security, Harry Denley, esperto di sicurezza informatica specializzato in criptovalute, ha scoperto nuove estensioni fraudolente per Chrome che si spacciano per aziende rinomate come Ledger, KeepKey, MetaMask e Jaxx.The malware often scans for the presence of these specific wallet extensions upon installation.

Targeted Wallets Include:

MetaMask
Trust Wallet
Coinbase Wallet
OKX Wallet

Stealing Credentials and Private Keys

The primary goal of these extensions is to steal your credentials and private keys.This is often accomplished through phishing attacks, keylogging, or by injecting malicious code into legitimate websites. A researcher has discovered 22 extensions for Google Chrome whose sole purpose is to steal users' cryptocurrencies. As reported by the information portal Naked Security, Harry Denley (cyber security expert specializing in cryptocurrencies) has discovOnce the attacker has access to your private keys, they can transfer your cryptocurrency to their own wallets, effectively stealing your funds.

Clipboard Monitoring and Manipulation

Some of these extensions employ more advanced techniques, such as monitoring your clipboard. A security researcher discovered another 22 Google Chrome web browser extensions that tried to steal users cryptocurrenciesThis allows them to detect when you copy and paste a cryptocurrency address. In May 2025, a cybersecurity researcher discovered 22 malicious Google Chrome extensions imitating crypto services like Ledger and MetaMask. Online scammers have been targeting other popular crypto companies to impersonate their apps on Google and steal money from users.The extension can then replace the legitimate address with the attacker's address, causing you to unknowingly send funds to the wrong recipient. 22 More Crypto-Stealing Google Chrome Extensions DiscoveredStilachiRAT, a remote access trojan, is a prime example of malware capable of this.

The StilachiRAT Threat: A Deep Dive

Microsoft's Incident Response Team identified a new remote access trojan (RAT) called StilachiRAT.This malware is particularly dangerous because it goes beyond simple credential theft and employs sophisticated techniques to evade detection and steal user funds.

Key Features of StilachiRAT

Credential Theft: StilachiRAT is capable of stealing browser credentials, including usernames, passwords, and cookies, which can be used to access your cryptocurrency wallets and other sensitive accounts.
Clipboard Monitoring: As mentioned earlier, this malware monitors your clipboard for cryptocurrency addresses and can replace them with the attacker's address.
Anti-Forensic Techniques: StilachiRAT employs anti-forensic techniques to evade detection and make it more difficult for security researchers to analyze its behavior.
Command-and-Control Communication: The malware communicates with command-and-control (C&C) servers to exfiltrate data and receive commands from the attacker.

How StilachiRAT Operates

Infection: StilachiRAT is typically distributed through malicious Chrome extensions that impersonate legitimate services.
Installation: Once installed, the extension gains access to your browser and begins monitoring your activity.
Data Exfiltration: The malware steals your credentials, monitors your clipboard, and sends this data to the C&C server.
Command Execution: The attacker can then use the C&C server to send commands to the malware, such as transferring funds from your wallet or installing additional malware.

Google's Response and the Ongoing Battle

Google has been actively working to combat the spread of malicious Chrome extensions. A Google Chrome Web Store campaign uses over 100 malicious browser extensions that mimic legitimate tools, such as VPNs, AI assistants, and crypto utilities, to steal browser cookies and executeAfter the discovery of these 22 new extensions, Google responded quickly and removed them from the Chrome Web Store within 24 hours. Um pesquisador de seguran a descobriu outras 22 extens es do navegador da web Google Chrome criadas para roubar as criptomoedas de seus usu rios.This rapid response demonstrates Google's commitment to protecting its users from malware.However, the battle is far from over.

Challenges in Combating Malicious Extensions

Despite Google's efforts, malicious actors continue to find ways to bypass security measures and distribute their malware through the Chrome Web Store. พบส่วนขยายบน Google Chrome อีก 22 ตัว ที่พยายามขโมย cryptocurrencies ของผู้ใช้There are several reasons for this:

Sophisticated Disguises: Malicious extensions are becoming increasingly sophisticated in their ability to disguise themselves as legitimate tools.
Evolving Tactics: Attackers are constantly evolving their tactics to evade detection and exploit new vulnerabilities.
Scale of the Chrome Web Store: The sheer size of the Chrome Web Store makes it difficult to monitor all extensions for malicious activity.

Google's Efforts to Improve Security

Google is continually working to improve the security of the Chrome Web Store and protect users from malicious extensions. Un investigador de seguridad descubri otras 22 extensiones del navegador web Google Chrome que intentaban robar las criptomonedas de los usuarios. El canal de noticias de seguridad cibern tica, Naked Security, report el 8 de mayo que Harry Denley, un investigador de seguridad especializado en criptodivisas, descubri 22 extensiones m s de Google Chrome maliciosas.Some of their efforts include:

Enhanced Review Process: Google has implemented a more rigorous review process for new extensions, including automated and manual checks for malicious code.
User Reporting: Google encourages users to report suspicious extensions, which helps them identify and remove malicious extensions more quickly.
Improved Detection Techniques: Google is constantly developing new techniques to detect and block malicious extensions.
Developer Guidelines: Google has established clear guidelines for developers to ensure that extensions meet certain security standards.

How to Protect Yourself: Practical Tips and Advice

While Google is working to improve the security of the Chrome Web Store, it is ultimately up to you to protect yourself from malicious extensions.Here are some practical tips and advice to help you stay safe:

Be Vigilant When Installing Extensions

The most important thing you can do is to be vigilant when installing extensions. A security researcher has discovered another 22 Google Chrome web browser extensions built to steal their users' cryptocurrencies. Cybersecurity news outlet Naked Security reported on Friday thatBefore installing any extension, take the time to carefully examine it. Unknown cybercriminals have been have been distributing malicious extensions since February 2025. The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google s Chrome Web Store (CWS), DTI.Look for red flags, such as:

Suspicious Developer Name: Is the developer name unfamiliar or does it seem unprofessional?
Poor Reviews: Are there a lot of negative reviews or complaints about the extension's behavior?
Excessive Permissions: Does the extension request permissions that seem unnecessary or excessive for its stated purpose?
Lack of Information: Is there a lack of information about the extension's functionality or developer?

Example: An extension that claims to be a simple calculator but requests permission to access your browsing history should raise a red flag.

Use a Strong and Unique Password for Your Crypto Wallets

A strong and unique password is essential for protecting your crypto wallets. Un investigador de seguridad ha descubierto otras 22 extensiones del navegador web, Google Chrome, construidas para robar las criptomonedas de sus usuarios. El canal de noticias de seguridad cibern tica, Naked Security, report el 8 de mayo que Harry Denley, un investigador de seguridad especializado en criptodivisas, descubri 22Avoid using the same password for multiple accounts, and make sure your password is complex and difficult to guess. Once this batch of malicious extensions was discovered, Google responded quickly and took action within 24 hours: We want to ensure that the path of a user discovering an extension from the Chrome Web Store is clear and informative and not muddled with copycats, misleading functionalities or fake reviews and ratings.Consider using a password manager to generate and store your passwords securely.

Enable Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security to your crypto wallets. ส่วนขยายของ Google Chrome ที่สร้างมาเพื่อขโมยสกุลเงินดิจิทัลถูกพบเพิ่มอีก 22 ตัว news cryptocurrency hack Naked Security รายงานเมื่อวันศุกร์ว่า HarryWith 2FA enabled, you will need to enter a code from your phone or another device in addition to your password when logging in or making a transaction.This makes it much more difficult for attackers to gain access to your account, even if they have your password.

Regularly Review and Remove Unnecessary Extensions

It's a good practice to regularly review the extensions you have installed in your browser and remove any that you no longer need or use. Microsoft s incident response team has identified a new remote access trojan (RAT), called StilachiRAT, capable of stealing credentials stored in the Google Chrome browser and cryptocurrency wallet data. In a post published on 17 March, Microsoft revealed that it first discovered the malware last November.The more extensions you have installed, the greater the risk that one of them could be malicious.

To review and remove extensions in Chrome:

Open Chrome.
In the top right, click the three dots (More).
Click More tools > Extensions.
Review the list of installed extensions and remove any that you don't need or trust.

Keep Your Browser and Extensions Up to Date

Keeping your browser and extensions up to date is crucial for security. This has helped millions of users to customize their browsing experience on Chrome in ways we could have never imagined, from niche utilities to companies building businesses around the platform s capabilities. As Cointelegraph reported in mid-April, Google removed 49 phishing Chrome web browser extensions after reports of malicious activity.Updates often include security patches that fix vulnerabilities that could be exploited by malicious actors.Make sure you have automatic updates enabled in your browser settings.

Use a Reputable Antivirus Software

A reputable antivirus software can help protect you from malware, including malicious Chrome extensions. The malware targets 20 different crypto wallet extensions in Google Chrome, including MetaMask, Trust Wallet, and Coinbase Wallet; StilachiRAT can steal browser credentials, monitor clipboard content, and evade detection using anti-forensic techniques; The malware communicates with command-and-control servers to exfiltrate data and execute commandsMake sure your antivirus software is up to date and that it is actively scanning your computer for threats.

Be Wary of Phishing Attacks

Phishing attacks are a common way for attackers to steal your credentials and private keys. The malware targets 20 different crypto wallet extensions in Google Chrome, including MetaMask, Trust Wallet, and Coinbase Wallet StilachiRAT can steal browser credentials, monitor clipboard content, and evade detection using anti-forensic techniquesBe wary of emails, messages, or websites that ask you to provide your sensitive information. A security researcher has discovered another 22 Google Chrome web browser extensions built to steal their users' cryptocurrencies. Cybersecurity news outlet Naked Security reported on Friday that Harry Denley, a security researcher specializing in cryptocurrencies, discovered 22 more malicious Google Chrome extensions. The extensions heAlways double-check the URL of a website before entering your login credentials, and never click on links from untrusted sources.

Consider Using a Hardware Wallet

A hardware wallet is a physical device that stores your private keys offline. Google has removed yet another batch of malicious Google Chrome extensions that were designed to impersonate popular crypto wallets and steal their Skip to content COMING SOON: A New Way to Earn Passive Income with DeFi in 2025 LEARN MOREThis makes it much more difficult for attackers to steal your keys, even if your computer is infected with malware. Microsoft has identified a new cybersecurity threat targeting cryptocurrency users, uncovering a remote access trojan (RAT) that infiltrates digital wallet extensions in Google Chrome. The tech giant s Incident Response Team revealed in a March 17 report that the malware, dubbed StilachiRAT, is designed to steal sensitive information fromHardware wallets are generally considered to be the most secure way to store your cryptocurrency.

Frequently Asked Questions (FAQs)

Here are some frequently asked questions about crypto-stealing Chrome extensions:

What are the signs that my Chrome extension has been compromised?

Some signs include unexpected pop-up ads, unusual browser behavior, unauthorized transactions from your crypto wallet, or warnings from your antivirus software.

What should I do if I suspect I have installed a malicious extension?

Immediately remove the extension, run a full scan with your antivirus software, and change your passwords for all your cryptocurrency wallets and other sensitive accounts.

Can I get my stolen cryptocurrency back?

Unfortunately, it is often difficult to recover stolen cryptocurrency. Skip to main content Bitcoin Insider. MenuHowever, you should report the theft to the authorities and to the cryptocurrency exchange or wallet provider.They may be able to assist you in recovering your funds.

Are all Chrome extensions potentially dangerous?

No, most Chrome extensions are safe and legitimate. Un chercheur en s curit a d couvert 22 autres extensions de navigateur Web Google Chrome con ues pour voler les crypto-monnaies de leurs utilisateurs.However, it is important to be vigilant and carefully examine each extension before installing it.

Where can I report a suspicious Chrome extension?

You can report a suspicious Chrome extension through the Chrome Web Store.Simply find the extension in the store and click the ""Report abuse"" link.

The Future of Browser Security

The discovery of these 22 new crypto-stealing Chrome extensions highlights the ongoing need for improved browser security.As attackers become more sophisticated, it is essential for both Google and users to stay vigilant and adopt proactive security measures. New Malware Targets 20 Crypto Wallet Extensions to Steal User Funds. Once installed on a device, the malware scans for the presence of 20 targeted wallet extensions, including Coinbase Wallet, Trust Wallet, MetaMask, and OKX Wallet, to siphon user funds.The future of browser security will likely involve:

More advanced threat detection techniques.
Increased collaboration between security researchers and browser developers.
Greater user awareness and education.
The development of more secure extension platforms.

Conclusion: Staying Ahead of the Curve

The discovery of 22 more crypto-stealing Google Chrome extensions serves as a stark reminder of the persistent threats lurking in the digital world.While Google is actively working to combat these threats, the ultimate responsibility for protecting your cryptocurrency lies with you.By being vigilant when installing extensions, using strong passwords and enabling 2FA, regularly reviewing your installed extensions, and staying informed about the latest security threats, you can significantly reduce your risk of becoming a victim.Remember, proactive security measures are the key to staying ahead of the curve and keeping your crypto assets safe.Don't wait until it's too late – take action today to protect yourself from malicious Chrome extensions and other online threats.Make sure to review your extensions *now* and take a moment to double check your wallet security!