PhishFort has recently launched Nighthawk: an extension monitoring and takedown service as part of our comprehensive phishing protection suite which includes social media, websites, domains, mobile applications, and takedowns. This was borne out of research conducted alongside MyCrypto into the phishing attacks delivered over Chrome browser extensions, including Chrome extension phishing.

Motivation and Purpose for Nighthawk

We keep an eye on the type of attacks that come to cryptocurrency users on a daily basis and often write about our findings to help educate the community. We’ve seen various types of attacks on users, ranging from simple trust-trading scams to SIM hijacking to compromising and stealing funds from exchange accounts.

An example of a malicious extension being delivered via Google Ads

Recently, we’ve come across big campaigns pushing fake browser extensions to users and targeting well-known brands via Google Ads and other channels. Whilst this is not a new attack vector — and we’ve written about malicious browser extensions before — the brands targeted are new.

These attacks highlight the increasing importance of awareness regarding Chrome extension phishing among users.

The goals of the research are:

• Educate “everyday-users” on what the different attack vectors are
• Report on big campaigns to make people aware
• Give “everyday-users” real-life examples of attacks so they are more likely to enforce security controls on their assets
• Help shut down scam campaign infrastructure
• Gather intelligence to feed into custom tools to help detection before victims are made

Overview

We have found a range of extensions targeting brands and cryptocurrency users. Whilst the extensions all function the same, the branding is different depending on the user they are targeting. Essentially, the extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files. Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.

We’ve identified 14 unique C2s (also known as a command & control server that continues to communicate with your compromised system) but by using fingerprinting analysis, we can link specific C2s to each other to conclude which of the phishing kits have the same bad actor(s) behind them. Some kits sent the phished data back to a Google Docs form. However, most hosted their own backend with custom PHP scripts. The C2s identified are:

• analytics-server296[.]xyz
• coinomibeta[.]online
• completssl[.]com
• cxext[.]org
• ledger[.]productions
• ledgerwallet[.]xyz
• mecxanalytic[.]co
• networkforworking[.]com
• trxsecuredapi[.]co
• usermetrica[.]org
• walletbalance[.]org
• ledgers[.]tech
• vh368451[.]eurodir[.]ru
• xrpclaim[.]net

Whilst some of the domains are relatively old, 80% of the C2s were registered in March and April 2020 (an even split). The oldest domain (ledger.productions) has the most “connections” to other C2s in terms of fingerprints, so we have some indication of the same backend kit (or same actors behind this) for the majority of the extensions.

We’ve also inspected some of the other C2s for common log files, and whilst most of them did not have them available on the web root, some issuing 403’s, there was one that belonged to trxsecuredapi.co that gave some small insight (if we take it all at face value):

• The server used for this C2 is trxsqdmn
• The admin email follows this mask: “b — 0@r — r.ru” — potentially indicating Russia-based actors
• The first log was 29-Mar-2020 10:43:14 America/New_York
• The C2 hosts files other than those to collect the phished secrets

Below is a video of how a malicious extension targeting MyEtherWallet users works. It looks the same as your typical MyEtherWallet experience until you type in your secrets. After you’ve submitted them, the malicious application sends your secrets back to the server controlled by the bad actor(s) before sending you back to the default view, and then does nothing, resulting in either:

• A user getting frustrated and submitting secrets again (maybe even different ones)
• A user uninstalling the extension and forgetting about the ramifications of typing their secrets until their wallet is drained of funds — which most likely will be after the extension is removed from the store so they cannot investigate where their security hole was.

Some of the extensions have had a network of fake users rate the app with 5 stars and give positive feedback on the extension to entice a user to download it. Most of the positive feedback by bad actors were low quality, such as “good,” “helpful app,” or “legit extension.” One extension did stand out by having the same “copypasta” around 8 times, authored by different users, sharing an introduction into what Bitcoin is and explaining why the [malicious] MyEtherWallet was their preferred browser extension (Note: MEW doesn’t support Bitcoin).

There was also a network of vigilant users who wrote legitimate reviews about the extensions being malicious — however, it is hard to say if they were victims of the phishing scams themselves, or just helping the community to not download.

A collage of reviews on various malicious extensions

Google Webstore has a report section and we’ve had the extensions removed within 24 hours.

An analysis from our dataset suggests the malicious extensions started to hit the store slowly in February 2020, increased releases through March 2020, and then rapidly released more extensions in April 2020.

• February 2020: 2.04% were published in this month from our dataset
• March 2020: 34.69% were published in this month from our dataset
• April 2020: 63.26% were published in this month from our dataset

This means that either our detection is getting much better, or that the number of malicious extensions hitting browser stores to target cryptocurrency users is growing exponentially.

An analysis from our dataset suggests Ledger is the most targeted brand — without speculating, it’s hard to say why. Ledger accounted for 57% of the attacks that were discovered.

Where did the stolen funds go?

We’ve sent funds to a few addresses and submitted the secrets to the malicious extensions. However, they were not automatically swept. This could be for a couple of reasons:

• The bad actors are only interested in high-value accounts
• The bad actors have to manually sweep accounts

Even though our addresses weren’t swept, there have been public reports from users about losing funds to malicious browser extensions:

• Google Chrome Support Thread: Extension stole funds

If you suspect you have become a victim of a malicious browser extension, please report it to PhishFort .

How can I stay safe?

Whilst there are many different attack vectors for everyday cryptocurrency users that are not limited to malicious browser extensions, the following will be addressing only the malicious browser extensions.

I am an everyday user of cryptocurrency.

• Familiarize yourself with what permissions each of your browser extensions have by going to chrome://extensions/ and clicking on the “Details” tab for each extension.
• Understand the risks associated with each permission.
• Consider removing the extension if it has permissions that you feel are out of scope of the extension use.
• Limit extensions to only execute on certain domains or when you click the extension icon in the top right corner of your browser.
• READ: A fake anti-cryptominer targeting MyEtherWallet[.]com and Blockchain[.]com domains — https://medium.com/mycrypto/hunting-huobi-scams-662256d76720
• READ: A fake cashback extension targeting popular cryptocurrency exchanges — https://medium.com/mycrypto/the-dangers-of-malicious-browser-extensions-ef9c10f0128f
• Consider creating a separate browser user that you use solely for cryptocurrency data — this will limit any attack surface scope, and a separation of concerns (personal and cryptocurrency profiles), increasing the privacy related to your cryptocurrency profile.

I am a team/company providing a solution to everyday users.

• Consider monitoring the browser extension stores if your product meets the criteria we’ve seen targeted — by using either in-house monitoring or partnering with a third-party that will investigate and take down these extensions on your behalf. PhishFort offer this service. If you think we can assist you, please reach out to us.
• Remind and enforce users to stay safe with their secrets.
• Deprecate the use of raw secrets (mnemonic phrases, keystore files, private keys) with your product and promote other signing mechanisms.
• Create a public list of all your products and links so users have a reliable source of trusted information.

IOCS

Extension IDs:

afephhbbcdlgdehhddfnehfndnkfbgnm, agfjbfkpehcnceblmdahjaejpnnnkjdn, ahikdohkiedoomaklnohgdnmfcmbabcn, ahlfiinafajfmciaajgophipcfholmeh, akglkgdiggmkilkhejagginkngocbpbj, anihmmejabpaocacmeodiapbhpholaom, bhkcgfbaokmhglgipbppoobmoblcomhh, bkanfnnhokogflpnhnbfjdhbjdlgncdi, bpfdhglfmfepjhgnhnmclbfiknjnfblb, bpklfenmjhcjlocdicfadpfppcgojfjp, ckelhijilmmlmnaljmjpigfopkmfkoeh, dbcfhcelmjepboabieglhjejeolaopdl, dbcfokmgampdedgcefjahloodbgakkpl, ddohdfnenhipnhnbbfifknnhaomihcip, dehindejipifeaikcgbkdijgkbjliojc, dkhcmjfipgoapjamnngolidbcakpdhgf, effhjobodhmkbgfpgcdabfnjlnphakhb, egpnofbhgafhbkapdhedimohmainbiio, ehlgimmlmmcocemjadeafmohiplmgmei, epphnioigompfjaknnaokghgcncnjfbe, gbbpilgcdcmfppjkdociebhmcnbfbmod, glmbceclkhkaebcadgmbcjihllcnpmjh, gpffceikmehgifkjjginoibpceadefih, idnelecdpebmbpnmambnpcjogingdfco, ifceimlckdanenfkfoomccpcpemphlbg, ifmkfoeijeemajoodjfoagpbejmmnkhm, igkljanmhbnhedgkmgpkcgpjmociceim, ijhakgidfnlallpobldpbhandllbeobg, ijohicfhndicpnmkaldafhbecijhdikd, jbfponbaiamgjmfpfghcjjhddjdjdpna, jfamimfejiccpbnghhjfcibhkgblmiml, jlaaidmjgpgfkhehcljmeckhlaibgaol, kjnmimfgphmcppjhombdhhegpjphpiol, lfaahmcgahoalphllknbfcckggddoffj, mcbcknmlpfkbpogpnfcimfgdmchchmmg, mciddpldhpdpibckghnaoidpolnmighk, mjbimaghobnkobfefccnnnjedoefbafl, mnbhnjecaofgddbldmppbbdlokappkgk, nicmhgecboifljcnbbjlajbpagmhcclp, njhfmnfcoffkdjbgpannpgifnbgdihkl, noilkpnilphojpjaimfcnldblelgllaa, obcfoaeoidokjbaokikamaljjlpebofe, oejafikjmfmejaafjjkoeejjpdfkdkpc, ogaclpidpghafcnbchgpbigfegdbdikj, opmelhjohnmenjibglddlpmbpbocohck, pbilbjpkfbfbackdcejdmhdfgeldakkn, pcmdfnnipgpilomfclbnjpbdnmbcgjaf, pedokobimilhjemibclahcelgedmkgei, plnlhldekkpgnngfdbdhocnjfplgnekg

C2s:

hxxp://ledgerwallet[.]xyz/api.php, hxxps://v1[.]ledgers[.]tech, hxxps://coinomibeta[.]online/post/connexion.php, hxxps://completssl[.]com/functions.php, hxxps://completssl[.]com/ssnd_1.php, hxxps://completssl[.]com/ssnd_el.php, hxxps://completssl[.]com/ssnd_ex.php, hxxps://completssl[.]com/ssnd_t.php, hxxps://cxext[.]org/6721e14f0257a64f1f0a9114197d59ba/, hxxps://docs[.]google[.]com/forms/d/1PXmiKeuYFdNS8D1q5yU1Cb7_9TwZQMbMCTl2PfSYhLI/formResponse, hxxps://docs[.]google[.]com/forms/d/e/1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ/formResponse, hxxps://docs[.]google[.]com/forms/d/e/1FAIpQLScuQg9Rpct1ahMotYT12xBAt3MmcubQg-duV1a0BZ_vo1Tj4g/formResponse, hxxps://ledger[.]productions/api_v1/, hxxps://mecxanalytic[.]co/api_keystore.php, hxxps://mecxanalytic[.]co/api_mnemonic.php, hxxps://mecxanalytic[.]co/api_private.php, hxxps://trxsecuredapi[.]co/api_ledger.php, hxxps://usermetrica[.]org/api_v1/, hxxp://vh368451[.]eurodir[.]ru/api/v1/, hxxps://walletbalance[.]org/api_v1/, ws://analytics-server296[.]xyz:4367

Chrome extensions are increasingly vulnerable to credential harvesting phishing and executive impersonation attacks. PhishFort offers essential services to detect and take down phishing websites, fraudulent mobile apps, and fake social media profiles that compromise users’ trust. By identifying these malicious extensions and eliminating threats, PhishFort upholds business and customer security, protecting brands from the reputation-damaging impact of compromised Chrome extensions. Learn more about common phishing tactics on social media in Most Common Social Media Phishing Attacks , and How Cybercriminals Exploit Trust on Social Media Platforms , or read about hidden attack vectors in 12 Common Attack Vectors That You Probably Didn’t Know .

A big thank you to Harry Denley who contributed significant time and work to putting this research together.

Phishing attacks as emails often impersonate trusted organizations like banks or cryptocurrency exchanges. These emails can range from poorly written scams to near-perfect replicas of legitimate communications.

Be cautious with any unexpected email that asks you to log in or transfer crypto. Genuine financial institutions rarely send emails demanding urgent action. Always check the sender’s email address carefully and watch for subtle misspellings (like noreply@citiibank.com instead of noreply@citibank.com).

Tip: Never share passwords or recovery phrases through email. No legitimate service will ask for this information.

2. Don’t Click Suspicious Links

Avoid clicking links in emails whenever possible. Instead of following a link to your exchange or wallet provider, manually type the URL into your browser or use a saved bookmark. This small step eliminates one of the most common phishing entry points.

If you must click a link, hover over it first to inspect the real URL. Watch for misspellings, unfamiliar domains, or hidden redirects.

3. Know Your Sites

Phishing websites often mimic real crypto exchanges to steal your login credentials. They might even use HTTPS (the padlock icon), which only means the connection is encrypted — not that the site is safe.

Always check the domain name carefully. For example:

Fake sites often use subdomains, typos (bitrrex.com), or alternative domain endings (bittrex.cash) to trick users.

Tip: Bookmark legitimate URLs of your crypto services to avoid typing mistakes or following malicious links.

This fake site will be hosted on a domain set up to resemble that of the legitimate site, but the sophistication of this varies. The fake site will most likely also be configured to use HTTPS, i.e. the green padlock. HTTPS on its own is not a signifier that a site is trusted — it just means that your connection to the site is encrypted and can’t be intercepted.

So you can catch out some phishing sites, such as the one in the screenshot above, by checking the domain name in the URL. Bittrex’s legitimate domain is bittrex.com, whereas this phishing site is hosted at bittrex.asset2fa-exchange.com. It’s easy to see how the latter could be mistaken for the former, but a bit of careful inspection shows the trick. Some browsers even help you determine whether you’re on this kind of phishing site or not by graying out secondary parts of the URL.

hxxps://bittrex[.]asset2fa-exchange[.]com/bittrex-login

https://bittrex.com/account/login

But before we get too comfortable with our ability to determine phishing from a quick glance at the URL bar, let’s remember that this is a low effort, low sophistication attack — our attacker didn’t even buy a new domain to target Bittrex users with, they just used a subdomain of something else!

An unintended consequence of the generic top-level domain expansion that began in 2013 is that phishers now have many more choices when registering fake domains. Want to phish users of Poloniex.com? Why not register Poloniex.online, or Poloniex.website, or Poloniex.xyz? There are hundreds of options to choose from. And while domain registrars do have dispute processes, and larger corporations with deeper pockets (such as Google) make an effort to buy up all or most alternative domains on these gTLDs, phishing sites can slip through the cracks for long enough to cause some damage.

Luckily, the generic TLD is an important part of the URL and will be displayed as such by most browsers. If you know the legitimate gTLD of a given site, you should be able to spot fakes pretty easily.

https://bittrex.com/account/login

hxxps://bittrex[.]cash/account/login

This was also possible to a lesser extent before the release of these new TLDs — for example, a phisher could register bittrex.org.

An alternative to using a different gTLD is the practice of typo-squatting — buying up domains one or two letters off from popular websites: for example, facbook.com or gooogle.com. What if our attacker had done this with Bittrex?

https://bittrex.com/account/login

https://bitrrex.com/account/login

These two URLs look remarkably similar, but you’re probably still able to tell which is the real one because you have them side-by-side for comparison, and because you’ve just read a paragraph about typo-squatting and are primed to notice it. But you won’t always be in such a heightened state of vigilance. Consider the image below:

Noticed what’s wrong with it yet? Probably not, right? Here’s what you missed: in each of the triangles, the last word on the second line is repeated at the beginning of the third. “Once upon a a time”, “John loves to to dance”, “Summer in in the city”.

It is incredibly easy to miss simple typos and repeated letters or words in common words, sentences, and, yes, domain names that we look at all the time.

4. Watch Out for IDN Homograph Attacks

Advanced phishing attacks replace characters in domain names with lookalikes from other alphabets (like Cyrillic). For example, myеthеrwаllеt.com may look identical to myetherwallet.com but leads to a malicious page.

Your browser might not always detect these fake domains. Use security extensions or plugins that can identify deceptive URLs.

5. Use PhishFort Nighthawk

PhishFort’s Nighthawk browser extension , available for Chrome and Firefox, is designed to spot phishing attacks instantly. It displays:

• Blue for trusted sites

• Red for known phishing sites

• Grey for unknown ones

It also allows you to report suspicious domains, helping to protect the entire crypto community. Learn more at PhishFort Nighthawk .

6. Recognize Common Crypto Scams

Phishing isn’t limited to email — it also happens across social media, fake apps, and fraudulent ICOs. Some common scams include:

• Fake ICOs: Impersonating real projects to collect investor funds.

• Giveaway scams: Asking you to send crypto in exchange for “double your money” rewards.

• Social media impersonations: Fake influencer accounts promising returns.

If it sounds too good to be true — even in crypto — it probably is. Always verify projects through official websites and trusted communities.

7. Stay Vigilant Beyond Email

Phishing can appear anywhere online — Discord groups, Telegram chats, or X (Twitter). Stay alert, especially when interacting with new contacts, promotions, or investment “opportunities.”

When in doubt, contact the organization directly through verified channels before acting.

8. Protect Your Wallets

For crypto investors, one mistake can be irreversible. If funds leave your wallet in a phishing attack, there’s no way to recover them. Use hardware wallets when possible, and keep your seed phrases offline and secure.

9. Keep Learning

Cybercriminals evolve constantly. Stay informed by reading trustworthy cybersecurity sources like PhishFort’s blog and other reputable industry updates.

10. Take a Proactive Stand

Knowledge and vigilance are your best defences. Combine awareness with tools like PhishFort Nighthawk to protect your assets — and help build a safer crypto ecosystem.

Outbound Reference: You can learn more about identifying phishing and scam sites at Google Safety Center.