22 MORE CRYPTO-STEALING GOOGLE CHROME EXTENSIONS DISCOVERED

Last updated: October 24, 2025, 15:51 | Written by: Jarek Molsen

22 More Crypto-Stealing Google Chrome Extensions Discovered
22 More Crypto-Stealing Google Chrome Extensions Discovered

The seemingly endless battle against malicious browser extensions continues as another wave of crypto-stealing Google Chrome extensions has been discovered. A researcher has discovered 22 extensions for Google Chrome whose sole purpose is to steal users' cryptocurrencies. As reported by the information portal Naked Security, Harry Denley (cyber security expert specializing in cryptocurrencies) has discovImagine thinking your crypto assets are safe, only to find out that a seemingly harmless browser extension has been silently siphoning them away. This has helped millions of users to customize their browsing experience on Chrome in ways we could have never imagined, from niche utilities to companies building businesses around the platform s capabilities. As Cointelegraph reported in mid-April, Google removed 49 phishing Chrome web browser extensions after reports of malicious activity.Security researcher Harry Denley, reported by Naked Security, uncovered a staggering 22 new extensions designed solely to steal users' cryptocurrencies.This discovery highlights the persistent threat posed by malicious actors exploiting the Chrome Web Store to distribute malware. A Google Chrome Web Store campaign uses over 100 malicious browser extensions that mimic legitimate tools, such as VPNs, AI assistants, and crypto utilities, to steal browser cookies and executeThese extensions often masquerade as legitimate tools or utilities, making it difficult for the average user to distinguish them from the real deal. The malware targets 20 different crypto wallet extensions in Google Chrome, including MetaMask, Trust Wallet, and Coinbase Wallet; StilachiRAT can steal browser credentials, monitor clipboard content, and evade detection using anti-forensic techniques; The malware communicates with command-and-control servers to exfiltrate data and execute commandsThe implications are severe, potentially leading to significant financial losses for unsuspecting victims. ส่วนขยายของ Google Chrome ที่สร้างมาเพื่อขโมยสกุลเงินดิจิทัลถูกพบเพิ่มอีก 22 ตัว news cryptocurrency hack Naked Security รายงานเมื่อวันศุกร์ว่า HarryThis article delves into the details of this latest threat, exploring how these extensions operate, which wallets are targeted, and most importantly, what you can do to protect yourself from becoming the next victim. Un investigador de seguridad ha descubierto otras 22 extensiones del navegador web, Google Chrome, construidas para robar las criptomonedas de sus usuarios. El canal de noticias de seguridad cibern tica, Naked Security, report el 8 de mayo que Harry Denley, un investigador de seguridad especializado en criptodivisas, descubri 22Stay vigilant – your crypto could depend on it!

The Anatomy of the Crypto-Stealing Chrome Extensions

These malicious Chrome extensions are not simply annoying pop-up ads; they are sophisticated tools designed to silently infiltrate your browser and compromise your cryptocurrency holdings. Microsoft has identified a new cybersecurity threat targeting cryptocurrency users, uncovering a remote access trojan (RAT) that infiltrates digital wallet extensions in Google Chrome. The tech giant s Incident Response Team revealed in a March 17 report that the malware, dubbed StilachiRAT, is designed to steal sensitive information fromThey achieve this through a variety of methods, often working in tandem to maximize their effectiveness.

Impersonating Legitimate Services

One of the most common tactics used by these extensions is to impersonate legitimate and popular cryptocurrency-related services.This includes mimicking well-known crypto wallets like MetaMask, Trust Wallet, and Coinbase Wallet.By using similar logos, names, and user interfaces, they trick users into believing they are installing a genuine extension from a trusted provider. A security researcher has discovered another 22 Google Chrome web browser extensions built to steal their users' cryptocurrencies. Cybersecurity news outlet Naked Security reported on Friday thatOther extensions impersonate productivity tools, VPN services or even AI assistants, luring users in under false pretenses.

Example: A user might search for ""MetaMask extension"" in the Chrome Web Store and, without carefully examining the developer or reviews, accidentally install a fake extension that looks almost identical to the real one.Once installed, this fake extension can intercept transactions, steal private keys, or redirect funds to the attacker's wallet.

Targeting Crypto Wallets

These extensions are specifically designed to target crypto wallets, seeking to steal sensitive information and gain control over user funds. A security researcher discovered another 22 Google Chrome web browser extensions that tried to steal users cryptocurrenciesThe 22 newly discovered extensions are reported to target at least 20 different crypto wallet extensions.The malware often scans for the presence of these specific wallet extensions upon installation.

Targeted Wallets Include:

  • MetaMask
  • Trust Wallet
  • Coinbase Wallet
  • OKX Wallet

Stealing Credentials and Private Keys

The primary goal of these extensions is to steal your credentials and private keys. A security researcher has discovered another 22 Google Chrome web browser extensions built to steal their users' cryptocurrencies. Cybersecurity news outlet Naked Security reported on Friday that Harry Denley, a security researcher specializing in cryptocurrencies, discovered 22 more malicious Google Chrome extensions. The extensions heThis is often accomplished through phishing attacks, keylogging, or by injecting malicious code into legitimate websites.Once the attacker has access to your private keys, they can transfer your cryptocurrency to their own wallets, effectively stealing your funds.

Clipboard Monitoring and Manipulation

Some of these extensions employ more advanced techniques, such as monitoring your clipboard. Um pesquisador de seguran a descobriu outras 22 extens es do navegador da web Google Chrome criadas para roubar as criptomoedas de seus usu rios.This allows them to detect when you copy and paste a cryptocurrency address. Microsoft s incident response team has identified a new remote access trojan (RAT), called StilachiRAT, capable of stealing credentials stored in the Google Chrome browser and cryptocurrency wallet data. In a post published on 17 March, Microsoft revealed that it first discovered the malware last November.The extension can then replace the legitimate address with the attacker's address, causing you to unknowingly send funds to the wrong recipient. Un chercheur en s curit a d couvert 22 autres extensions de navigateur Web Google Chrome con ues pour voler les crypto-monnaies de leurs utilisateurs.StilachiRAT, a remote access trojan, is a prime example of malware capable of this.

The StilachiRAT Threat: A Deep Dive

Microsoft's Incident Response Team identified a new remote access trojan (RAT) called StilachiRAT.This malware is particularly dangerous because it goes beyond simple credential theft and employs sophisticated techniques to evade detection and steal user funds.

Key Features of StilachiRAT

  • Credential Theft: StilachiRAT is capable of stealing browser credentials, including usernames, passwords, and cookies, which can be used to access your cryptocurrency wallets and other sensitive accounts.
  • Clipboard Monitoring: As mentioned earlier, this malware monitors your clipboard for cryptocurrency addresses and can replace them with the attacker's address.
  • Anti-Forensic Techniques: StilachiRAT employs anti-forensic techniques to evade detection and make it more difficult for security researchers to analyze its behavior.
  • Command-and-Control Communication: The malware communicates with command-and-control (C&C) servers to exfiltrate data and receive commands from the attacker.

How StilachiRAT Operates

  1. Infection: StilachiRAT is typically distributed through malicious Chrome extensions that impersonate legitimate services.
  2. Installation: Once installed, the extension gains access to your browser and begins monitoring your activity.
  3. Data Exfiltration: The malware steals your credentials, monitors your clipboard, and sends this data to the C&C server.
  4. Command Execution: The attacker can then use the C&C server to send commands to the malware, such as transferring funds from your wallet or installing additional malware.

Google's Response and the Ongoing Battle

  • improved battle strategy
  • Related implementation details

Google has been actively working to combat the spread of malicious Chrome extensions.After the discovery of these 22 new extensions, Google responded quickly and removed them from the Chrome Web Store within 24 hours.This rapid response demonstrates Google's commitment to protecting its users from malware.However, the battle is far from over.

Challenges in Combating Malicious Extensions

Despite Google's efforts, malicious actors continue to find ways to bypass security measures and distribute their malware through the Chrome Web Store.There are several reasons for this:

  • Sophisticated Disguises: Malicious extensions are becoming increasingly sophisticated in their ability to disguise themselves as legitimate tools.
  • Evolving Tactics: Attackers are constantly evolving their tactics to evade detection and exploit new vulnerabilities.
  • Scale of the Chrome Web Store: The sheer size of the Chrome Web Store makes it difficult to monitor all extensions for malicious activity.

Google's Efforts to Improve Security

Google is continually working to improve the security of the Chrome Web Store and protect users from malicious extensions.Some of their efforts include:

  • Enhanced Review Process: Google has implemented a more rigorous review process for new extensions, including automated and manual checks for malicious code.
  • User Reporting: Google encourages users to report suspicious extensions, which helps them identify and remove malicious extensions more quickly.
  • Improved Detection Techniques: Google is constantly developing new techniques to detect and block malicious extensions.
  • Developer Guidelines: Google has established clear guidelines for developers to ensure that extensions meet certain security standards.

How to Protect Yourself: Practical Tips and Advice

impersonate advice analysis represents key aspects of this topic.

While Google is working to improve the security of the Chrome Web Store, it is ultimately up to you to protect yourself from malicious extensions.Here are some practical tips and advice to help you stay safe:

Be Vigilant When Installing Extensions

The most important thing you can do is to be vigilant when installing extensions.Before installing any extension, take the time to carefully examine it.Look for red flags, such as:

  • Suspicious Developer Name: Is the developer name unfamiliar or does it seem unprofessional?
  • Poor Reviews: Are there a lot of negative reviews or complaints about the extension's behavior?
  • Excessive Permissions: Does the extension request permissions that seem unnecessary or excessive for its stated purpose?
  • Lack of Information: Is there a lack of information about the extension's functionality or developer?

Example: An extension that claims to be a simple calculator but requests permission to access your browsing history should raise a red flag.

Use a Strong and Unique Password for Your Crypto Wallets

A strong and unique password is essential for protecting your crypto wallets.Avoid using the same password for multiple accounts, and make sure your password is complex and difficult to guess.Consider using a password manager to generate and store your passwords securely.

Enable Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security to your crypto wallets.With 2FA enabled, you will need to enter a code from your phone or another device in addition to your password when logging in or making a transaction. Unknown cybercriminals have been have been distributing malicious extensions since February 2025. The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google s Chrome Web Store (CWS), DTI.This makes it much more difficult for attackers to gain access to your account, even if they have your password.

Regularly Review and Remove Unnecessary Extensions

It's a good practice to regularly review the extensions you have installed in your browser and remove any that you no longer need or use. The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, crypto, banking and more to direct users to install corresponding Fake Chrome Extensions on Google s Chrome Web Store, according to the DomainTools Intelligence team s report.The more extensions you have installed, the greater the risk that one of them could be malicious.

To review and remove extensions in Chrome:

  1. Open Chrome.
  2. In the top right, click the three dots (More).
  3. Click More tools > Extensions.
  4. Review the list of installed extensions and remove any that you don't need or trust.

Keep Your Browser and Extensions Up to Date

Keeping your browser and extensions up to date is crucial for security.Updates often include security patches that fix vulnerabilities that could be exploited by malicious actors.Make sure you have automatic updates enabled in your browser settings.

Use a Reputable Antivirus Software

A reputable antivirus software can help protect you from malware, including malicious Chrome extensions.Make sure your antivirus software is up to date and that it is actively scanning your computer for threats.

Be Wary of Phishing Attacks

Phishing attacks are a common way for attackers to steal your credentials and private keys.Be wary of emails, messages, or websites that ask you to provide your sensitive information. Google has removed yet another batch of malicious Google Chrome extensions that were designed to impersonate popular crypto wallets and steal their Skip to content COMING SOON: A New Way to Earn Passive Income with DeFi in 2025 LEARN MOREAlways double-check the URL of a website before entering your login credentials, and never click on links from untrusted sources.

Consider Using a Hardware Wallet

A hardware wallet is a physical device that stores your private keys offline.This makes it much more difficult for attackers to steal your keys, even if your computer is infected with malware. พบส่วนขยายบน Google Chrome อีก 22 ตัว ที่พยายามขโมย cryptocurrencies ของผู้ใช้Hardware wallets are generally considered to be the most secure way to store your cryptocurrency.

Frequently Asked Questions (FAQs)

explanation for (faqs) represents key aspects of this topic.

Here are some frequently asked questions about crypto-stealing Chrome extensions:

What are the signs that my Chrome extension has been compromised?

Some signs include unexpected pop-up ads, unusual browser behavior, unauthorized transactions from your crypto wallet, or warnings from your antivirus software.

What should I do if I suspect I have installed a malicious extension?

Immediately remove the extension, run a full scan with your antivirus software, and change your passwords for all your cryptocurrency wallets and other sensitive accounts.

Can I get my stolen cryptocurrency back?

Unfortunately, it is often difficult to recover stolen cryptocurrency. The malware targets 20 different crypto wallet extensions in Google Chrome, including MetaMask, Trust Wallet, and Coinbase Wallet StilachiRAT can steal browser credentials, monitor clipboard content, and evade detection using anti-forensic techniquesHowever, you should report the theft to the authorities and to the cryptocurrency exchange or wallet provider.They may be able to assist you in recovering your funds.

Are all Chrome extensions potentially dangerous?

No, most Chrome extensions are safe and legitimate. A widespread campaign targeting Chrome browser users is using over 100 malicious extensions to steal data, inject remote scripts, and manipulate network traffic through the Google Chrome Web Store. These extensions mimic popular brands such as Fortinet, YouTube, DeepSeek AI, and Calendly.However, it is important to be vigilant and carefully examine each extension before installing it.

Where can I report a suspicious Chrome extension?

You can report a suspicious Chrome extension through the Chrome Web Store. 22 More Crypto-Stealing Google Chrome Extensions DiscoveredSimply find the extension in the store and click the ""Report abuse"" link.

The Future of Browser Security

The discovery of these 22 new crypto-stealing Chrome extensions highlights the ongoing need for improved browser security.As attackers become more sophisticated, it is essential for both Google and users to stay vigilant and adopt proactive security measures.The future of browser security will likely involve:

  • More advanced threat detection techniques.
  • Increased collaboration between security researchers and browser developers.
  • Greater user awareness and education.
  • The development of more secure extension platforms.

Conclusion: Staying Ahead of the Curve

The discovery of 22 more crypto-stealing Google Chrome extensions serves as a stark reminder of the persistent threats lurking in the digital world. Un ricercatore ha scoperto altre 22 estensioni per Google Chrome il cui unico scopo quello di rubare le criptovalute degli utenti. Come riportato dal portale d'informazione Naked Security, Harry Denley, esperto di sicurezza informatica specializzato in criptovalute, ha scoperto nuove estensioni fraudolente per Chrome che si spacciano per aziende rinomate come Ledger, KeepKey, MetaMask e Jaxx.While Google is actively working to combat these threats, the ultimate responsibility for protecting your cryptocurrency lies with you.By being vigilant when installing extensions, using strong passwords and enabling 2FA, regularly reviewing your installed extensions, and staying informed about the latest security threats, you can significantly reduce your risk of becoming a victim. 22 More Crypto-Stealing Google Chrome Extensions Discovered Open in App. Get 45% Off 22 More Crypto-Stealing Google Chrome Extensions Discovered. Cryptocurrency. Published, .Remember, proactive security measures are the key to staying ahead of the curve and keeping your crypto assets safe.Don't wait until it's too late – take action today to protect yourself from malicious Chrome extensions and other online threats. In May 2025, a cybersecurity researcher discovered 22 malicious Google Chrome extensions imitating crypto services like Ledger and MetaMask. Online scammers have been targeting other popular crypto companies to impersonate their apps on Google and steal money from users.Make sure to review your extensions *now* and take a moment to double check your wallet security!

Jarek Molsen can be reached at [email protected].

Comments