Two malicious Google Chrome browser extensions allegedly drained $800,000 from a cryptocurrency investor known as β€œSell When Over” on X. The user suspected that the extensions named β€œSync test BETA (colorful)” and β€œSimple Game” may have contained Keyloggers targeting specific wallet extension apps.

Keyloggers are malicious applications used by cybercriminals to record every keystroke on a target’s computer, allowing them to access confidential information. The issue came to light after a Google Chrome update last month, which the user had postponed until a PC update from Windows forced a restart.

After the restart, all of the user’s Chrome extensions were logged out, and tabs were lost. This led to the user re-entering credentials and seed phrases for their cryptocurrency wallets. The user believes this is when their confidential data was compromised, leading to the funds being drained three weeks later.

During an investigation, the user discovered the two malicious extensions on their system. The user also found Google Translate set to auto-translate to Korean in their browser. The funds were reportedly sent to MEXC and Gate.io exchanges.

Although the user was uncertain how their Chrome browser was compromised, analysis revealed that the Sync test BETA (colorful) extension was a keylogger sending data to an external website’s PHP script. The Simple Game extension was monitoring tab activity.

Lessons learned from this incident include wiping the entire PC if anything seems suspicious enough to prompt inputting a seed phrase. The malicious extensions did not appear on the Chrome Web store at the time of publication.

Malicious Chrome extensions have been a persistent issue in the cryptocurrency industry. In a 2023 report, cybersecurity experts disclosed the use of the Rilide chrome malware to steal sensitive data and cryptocurrency. This malware deployed rogue browser extensions to siphon funds.

Another Windows malware discovered in late 2022 used Google Chrome extensions to steal cryptocurrencies and clipboard data. These extensions altered website HTML to display accurate wallet balances while draining funds in the background.