Key Takeaways

• The Buy-and-Infect Model: Hackers specifically target popular, free extensions with established user bases to minimize suspicion during the update process.
• Automated Bypass: Malware authors use stagers — innocuous code that fetches malicious payloads from external servers days or weeks after installation — to bypass store moderation.
• The Manifest Manipulation: Attackers modify the manifest.json file to expand permission scope, effectively granting themselves the ability to read or change all data on sites you visit.
• Proactive Defense: You must adopt a least-privilege mindset by auditing permissions, restricting site access, and removing extensions you do not actively use.

What Are Browser Extension Security Risks?

Browser extension security risks are vulnerabilities that occur when an add-on, initially created for productivity or utility, is weaponized to perform unauthorized actions like credential theft, session hijacking, or malware distribution. Because browser extensions operate within the browser’s memory and have access to the Document Object Model (DOM) of your active tabs, they occupy a privileged position that few other applications possess.

When an extension goes rogue, it essentially becomes a Trojan Horse. You believe you are using a tool to block ads, format PDFs, or manage passwords, but that same tool is silently capturing your keystrokes, injecting malicious scripts, or exfiltrating your browser cookies to an attacker’s command-and-control (C2) server.

How Do Cybercriminals Use Buy-and-Infect Attacks?

Cybercriminals execute buy-and-infect attacks by targeting independent developers who are exhausted by the maintenance of popular, free extensions. When a developer receives a lucrative offer to sell their project, they often accept without vetting the buyer, unaware that the purchaser is a shell company acting on behalf of malicious actors.

Once the ownership transfer is complete, the trap is set. Because browsers like Chrome and Edge are designed to keep users secure through automatic background updates, the new owner can push a minor update to every user simultaneously. The user sees no red flags, receives no new permission prompts, and remains entirely unaware that the extension’s internal DNA has been rewritten to facilitate an attack.

Why Does Automated Store Moderation Fail to Stop Malicious Extensions?

Automated store moderation fails to stop malicious extensions because it relies heavily on static analysis — scanning the code for known malware signatures at the moment of submission. Malware authors circumvent this by writing stagers, which are tiny, clean-looking pieces of code that do nothing during the initial review process.

After the extension is approved and installed on thousands of machines, the stager then fetches the actual malicious payload from an external, attacker-controlled domain. By delaying the malicious behavior for days or even weeks after the update, attackers effectively bypass the initial automated review.

What Is the Technical Anatomy of an Extension Hijack?

The technical anatomy of an extension hijack centers on the manifest.json file, the fundamental blueprint that defines what an extension is allowed to do. When an extension is hijacked, the new developer modifies this file to request elevated permissions, such as the ability to “Read and change all your data on the websites you visit.”

This permission allows the extension to monitor every interaction you have with your web apps, banking sites, and crypto wallets. The extension can then inject JavaScript to scrape sensitive form data, steal session tokens, or even alter the transaction destination for crypto transfers — all while appearing perfectly normal to the end user.

How Can You Protect Your Browser from Rogue Extensions?

To protect your browser from rogue extensions, you must strictly practice the principle of least privilege. This means assuming that any third-party code you install is a potential liability and taking active steps to minimize the blast radius if an extension becomes compromised.

Follow These 4 Steps to Secure Your Browser:

1. Ruthless Auditing: Navigate to chrome://extensions/ (or the equivalent in your browser) and delete every single extension you do not use daily.
2. Restrict Site Access: Right-click on your essential extensions and change their Site access to On click rather than On all sites. This ensures the extension only runs when you explicitly authorize it.
3. Watch for “Permission Creep”: If a simple utility suddenly requests a new, invasive permission, uninstall it immediately. Never click Allow blindly.
4. Use Official Versions: Stick to extensions provided by verified companies or reputable, well-funded open-source projects with high community scrutiny.

Frequently Asked Questions (FAQs)

Q: Can I trust extensions with millions of users?

A: High user counts are not a guarantee of safety. Attackers actively look for high-install-count extensions to acquire because they provide instant access to a massive, trusted user base. Always check if the extension’s ownership has recently changed.

Q: Does Incognito Mode protect me from malicious extensions?

A: Not necessarily. Depending on your browser settings, extensions may still be enabled in Incognito/Private mode. You must manually verify in your extension settings that Allow in Incognito is disabled for all extensions unless absolutely required.

Q: How do I know if my browser extension has been hijacked?

A: Indicators include sudden browser slowdowns, unexpected redirects to phishing pages, or pop-up ads appearing on websites that shouldn’t have them. If your extension starts asking for new permissions, uninstall it immediately and run a security scan.

Conclusion & Next Steps

Browser extensions are a double-edged sword. While they offer incredible utility, they also provide a direct pathway for threat actors to bypass network security and execute code on your personal device. Trust is temporary; an extension that is safe today can easily become a weapon tomorrow with a single malicious update. Vigilance is your only true line of defense.

If your organization is concerned about browser-based threats, brand impersonation, or supply chain attacks, you need visibility that extends beyond your corporate perimeter.

Protect your brand and digital assets with our comprehensive Digital Risk Protection solutions today.

PhishFort has recently launched Nighthawk: an extension monitoring and takedown service as part of our comprehensive phishing protection suite which includes social media, websites, domains, mobile applications, and takedowns. This was borne out of research conducted alongside MyCrypto into the phishing attacks delivered over Chrome browser extensions, including Chrome extension phishing.

Motivation and Purpose for Nighthawk

We keep an eye on the type of attacks that come to cryptocurrency users on a daily basis and often write about our findings to help educate the community. We’ve seen various types of attacks on users, ranging from simple trust-trading scams to SIM hijacking to compromising and stealing funds from exchange accounts.

An example of a malicious extension being delivered via Google Ads

Recently, we’ve come across big campaigns pushing fake browser extensions to users and targeting well-known brands via Google Ads and other channels. Whilst this is not a new attack vector — and we’ve written about malicious browser extensions before — the brands targeted are new.

These attacks highlight the increasing importance of awareness regarding Chrome extension phishing among users.

The goals of the research are:

• Educate “everyday-users” on what the different attack vectors are
• Report on big campaigns to make people aware
• Give “everyday-users” real-life examples of attacks so they are more likely to enforce security controls on their assets
• Help shut down scam campaign infrastructure
• Gather intelligence to feed into custom tools to help detection before victims are made

Overview

We have found a range of extensions targeting brands and cryptocurrency users. Whilst the extensions all function the same, the branding is different depending on the user they are targeting. Essentially, the extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files. Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.

We’ve identified 14 unique C2s (also known as a command & control server that continues to communicate with your compromised system) but by using fingerprinting analysis, we can link specific C2s to each other to conclude which of the phishing kits have the same bad actor(s) behind them. Some kits sent the phished data back to a Google Docs form. However, most hosted their own backend with custom PHP scripts. The C2s identified are:

• analytics-server296[.]xyz
• coinomibeta[.]online
• completssl[.]com
• cxext[.]org
• ledger[.]productions
• ledgerwallet[.]xyz
• mecxanalytic[.]co
• networkforworking[.]com
• trxsecuredapi[.]co
• usermetrica[.]org
• walletbalance[.]org
• ledgers[.]tech
• vh368451[.]eurodir[.]ru
• xrpclaim[.]net

Whilst some of the domains are relatively old, 80% of the C2s were registered in March and April 2020 (an even split). The oldest domain (ledger.productions) has the most “connections” to other C2s in terms of fingerprints, so we have some indication of the same backend kit (or same actors behind this) for the majority of the extensions.

We’ve also inspected some of the other C2s for common log files, and whilst most of them did not have them available on the web root, some issuing 403’s, there was one that belonged to trxsecuredapi.co that gave some small insight (if we take it all at face value):

• The server used for this C2 is trxsqdmn
• The admin email follows this mask: “b — 0@r — r.ru” — potentially indicating Russia-based actors
• The first log was 29-Mar-2020 10:43:14 America/New_York
• The C2 hosts files other than those to collect the phished secrets

Below is a video of how a malicious extension targeting MyEtherWallet users works. It looks the same as your typical MyEtherWallet experience until you type in your secrets. After you’ve submitted them, the malicious application sends your secrets back to the server controlled by the bad actor(s) before sending you back to the default view, and then does nothing, resulting in either:

• A user getting frustrated and submitting secrets again (maybe even different ones)
• A user uninstalling the extension and forgetting about the ramifications of typing their secrets until their wallet is drained of funds — which most likely will be after the extension is removed from the store so they cannot investigate where their security hole was.

Some of the extensions have had a network of fake users rate the app with 5 stars and give positive feedback on the extension to entice a user to download it. Most of the positive feedback by bad actors were low quality, such as “good,” “helpful app,” or “legit extension.” One extension did stand out by having the same “copypasta” around 8 times, authored by different users, sharing an introduction into what Bitcoin is and explaining why the [malicious] MyEtherWallet was their preferred browser extension (Note: MEW doesn’t support Bitcoin).

There was also a network of vigilant users who wrote legitimate reviews about the extensions being malicious — however, it is hard to say if they were victims of the phishing scams themselves, or just helping the community to not download.

A collage of reviews on various malicious extensions

Google Webstore has a report section and we’ve had the extensions removed within 24 hours.

An analysis from our dataset suggests the malicious extensions started to hit the store slowly in February 2020, increased releases through March 2020, and then rapidly released more extensions in April 2020.

• February 2020: 2.04% were published in this month from our dataset
• March 2020: 34.69% were published in this month from our dataset
• April 2020: 63.26% were published in this month from our dataset

This means that either our detection is getting much better, or that the number of malicious extensions hitting browser stores to target cryptocurrency users is growing exponentially.

An analysis from our dataset suggests Ledger is the most targeted brand — without speculating, it’s hard to say why. Ledger accounted for 57% of the attacks that were discovered.

Where did the stolen funds go?

We’ve sent funds to a few addresses and submitted the secrets to the malicious extensions. However, they were not automatically swept. This could be for a couple of reasons:

• The bad actors are only interested in high-value accounts
• The bad actors have to manually sweep accounts

Even though our addresses weren’t swept, there have been public reports from users about losing funds to malicious browser extensions:

• Google Chrome Support Thread: Extension stole funds

If you suspect you have become a victim of a malicious browser extension, please report it to PhishFort .

How can I stay safe?

Whilst there are many different attack vectors for everyday cryptocurrency users that are not limited to malicious browser extensions, the following will be addressing only the malicious browser extensions.

I am an everyday user of cryptocurrency.

• Familiarize yourself with what permissions each of your browser extensions have by going to chrome://extensions/ and clicking on the “Details” tab for each extension.
• Understand the risks associated with each permission.
• Consider removing the extension if it has permissions that you feel are out of scope of the extension use.
• Limit extensions to only execute on certain domains or when you click the extension icon in the top right corner of your browser.
• READ: A fake anti-cryptominer targeting MyEtherWallet[.]com and Blockchain[.]com domains — https://medium.com/mycrypto/hunting-huobi-scams-662256d76720
• READ: A fake cashback extension targeting popular cryptocurrency exchanges — https://medium.com/mycrypto/the-dangers-of-malicious-browser-extensions-ef9c10f0128f
• Consider creating a separate browser user that you use solely for cryptocurrency data — this will limit any attack surface scope, and a separation of concerns (personal and cryptocurrency profiles), increasing the privacy related to your cryptocurrency profile.

I am a team/company providing a solution to everyday users.

• Consider monitoring the browser extension stores if your product meets the criteria we’ve seen targeted — by using either in-house monitoring or partnering with a third-party that will investigate and take down these extensions on your behalf. PhishFort offer this service. If you think we can assist you, please reach out to us.
• Remind and enforce users to stay safe with their secrets.
• Deprecate the use of raw secrets (mnemonic phrases, keystore files, private keys) with your product and promote other signing mechanisms.
• Create a public list of all your products and links so users have a reliable source of trusted information.

IOCS

Extension IDs:

afephhbbcdlgdehhddfnehfndnkfbgnm, agfjbfkpehcnceblmdahjaejpnnnkjdn, ahikdohkiedoomaklnohgdnmfcmbabcn, ahlfiinafajfmciaajgophipcfholmeh, akglkgdiggmkilkhejagginkngocbpbj, anihmmejabpaocacmeodiapbhpholaom, bhkcgfbaokmhglgipbppoobmoblcomhh, bkanfnnhokogflpnhnbfjdhbjdlgncdi, bpfdhglfmfepjhgnhnmclbfiknjnfblb, bpklfenmjhcjlocdicfadpfppcgojfjp, ckelhijilmmlmnaljmjpigfopkmfkoeh, dbcfhcelmjepboabieglhjejeolaopdl, dbcfokmgampdedgcefjahloodbgakkpl, ddohdfnenhipnhnbbfifknnhaomihcip, dehindejipifeaikcgbkdijgkbjliojc, dkhcmjfipgoapjamnngolidbcakpdhgf, effhjobodhmkbgfpgcdabfnjlnphakhb, egpnofbhgafhbkapdhedimohmainbiio, ehlgimmlmmcocemjadeafmohiplmgmei, epphnioigompfjaknnaokghgcncnjfbe, gbbpilgcdcmfppjkdociebhmcnbfbmod, glmbceclkhkaebcadgmbcjihllcnpmjh, gpffceikmehgifkjjginoibpceadefih, idnelecdpebmbpnmambnpcjogingdfco, ifceimlckdanenfkfoomccpcpemphlbg, ifmkfoeijeemajoodjfoagpbejmmnkhm, igkljanmhbnhedgkmgpkcgpjmociceim, ijhakgidfnlallpobldpbhandllbeobg, ijohicfhndicpnmkaldafhbecijhdikd, jbfponbaiamgjmfpfghcjjhddjdjdpna, jfamimfejiccpbnghhjfcibhkgblmiml, jlaaidmjgpgfkhehcljmeckhlaibgaol, kjnmimfgphmcppjhombdhhegpjphpiol, lfaahmcgahoalphllknbfcckggddoffj, mcbcknmlpfkbpogpnfcimfgdmchchmmg, mciddpldhpdpibckghnaoidpolnmighk, mjbimaghobnkobfefccnnnjedoefbafl, mnbhnjecaofgddbldmppbbdlokappkgk, nicmhgecboifljcnbbjlajbpagmhcclp, njhfmnfcoffkdjbgpannpgifnbgdihkl, noilkpnilphojpjaimfcnldblelgllaa, obcfoaeoidokjbaokikamaljjlpebofe, oejafikjmfmejaafjjkoeejjpdfkdkpc, ogaclpidpghafcnbchgpbigfegdbdikj, opmelhjohnmenjibglddlpmbpbocohck, pbilbjpkfbfbackdcejdmhdfgeldakkn, pcmdfnnipgpilomfclbnjpbdnmbcgjaf, pedokobimilhjemibclahcelgedmkgei, plnlhldekkpgnngfdbdhocnjfplgnekg

C2s:

hxxp://ledgerwallet[.]xyz/api.php, hxxps://v1[.]ledgers[.]tech, hxxps://coinomibeta[.]online/post/connexion.php, hxxps://completssl[.]com/functions.php, hxxps://completssl[.]com/ssnd_1.php, hxxps://completssl[.]com/ssnd_el.php, hxxps://completssl[.]com/ssnd_ex.php, hxxps://completssl[.]com/ssnd_t.php, hxxps://cxext[.]org/6721e14f0257a64f1f0a9114197d59ba/, hxxps://docs[.]google[.]com/forms/d/1PXmiKeuYFdNS8D1q5yU1Cb7_9TwZQMbMCTl2PfSYhLI/formResponse, hxxps://docs[.]google[.]com/forms/d/e/1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ/formResponse, hxxps://docs[.]google[.]com/forms/d/e/1FAIpQLScuQg9Rpct1ahMotYT12xBAt3MmcubQg-duV1a0BZ_vo1Tj4g/formResponse, hxxps://ledger[.]productions/api_v1/, hxxps://mecxanalytic[.]co/api_keystore.php, hxxps://mecxanalytic[.]co/api_mnemonic.php, hxxps://mecxanalytic[.]co/api_private.php, hxxps://trxsecuredapi[.]co/api_ledger.php, hxxps://usermetrica[.]org/api_v1/, hxxp://vh368451[.]eurodir[.]ru/api/v1/, hxxps://walletbalance[.]org/api_v1/, ws://analytics-server296[.]xyz:4367

Chrome extensions are increasingly vulnerable to credential harvesting phishing and executive impersonation attacks. PhishFort offers essential services to detect and take down phishing websites, fraudulent mobile apps, and fake social media profiles that compromise users’ trust. By identifying these malicious extensions and eliminating threats, PhishFort upholds business and customer security, protecting brands from the reputation-damaging impact of compromised Chrome extensions. Learn more about common phishing tactics on social media in Most Common Social Media Phishing Attacks , and How Cybercriminals Exploit Trust on Social Media Platforms , or read about hidden attack vectors in 12 Common Attack Vectors That You Probably Didn’t Know .

A big thank you to Harry Denley who contributed significant time and work to putting this research together.