Listen to this Post
Introduction: A Browser Tool That Quietly Empties Wallets
Browser extensions are often trusted tools, installed to save time, automate workflows, or simplify complex tasks. In the cryptocurrency world, where speed and automation matter, this trust becomes even stronger. The discovery of the MEXC API Automator Chrome extension shows how dangerous that trust can be when abused. What appeared to be a harmless trading assistant was, in reality, a carefully designed credential-stealing operation capable of draining user accounts without triggering traditional security alarms.
Summary of the Original
A Malicious Extension Hiding in Plain Sight
Security researchers from Socket’s Threat Research Team uncovered a dangerous Chrome extension named MEXC API Automator. The extension was publicly available on the Chrome Web Store, giving it an appearance of legitimacy despite its malicious intent.
A Developer Identity That Raised No Immediate Alarms
The extension was published on September 1, 2025, by a developer using the alias jorjortan142. Nothing in the public listing clearly indicated malicious behavior, allowing it to attract unsuspecting cryptocurrency traders.
False Claims of Trading Automation
MEXC API Automator claimed to automate trading activities on the MEXC cryptocurrency exchange. This promise appealed to users looking to optimize trading strategies without constant manual intervention.
Abuse of API Permissions
Once installed, the extension targeted users visiting MEXC’s API management page. It automatically selected all permission checkboxes, including the most dangerous one: withdrawal access.
Visual Deception Through CSS Manipulation
To avoid suspicion, the extension used CSS techniques to hide the visual state of the withdrawal permission. The checkbox appeared disabled to the user, while remaining fully enabled on the backend.
Exploiting the Two-Factor Authentication Flow
After the user completed two-factor authentication, believing the API key was safely created, the extension intercepted the success modal containing the API key and secret.
Silent Exfiltration of Credentials
The stolen API credentials were immediately transmitted to a Telegram bot controlled by the attacker. This allowed the threat actor to gain full control of the victim’s exchange account.
Complete Account Takeover Without Passwords
With valid API keys, the attacker could trade, withdraw funds, and drain wallets without knowing the user’s password or bypassing exchange-level security protections.
Browser-Based Attacks Evade Traditional Defenses
Because the malicious behavior occurred entirely inside the browser, many conventional security tools failed to detect the activity.
A Broader Criminal Ecosystem
Researchers linked the threat actor to the SwapSushi brand, which maintains social media channels and Telegram bots focused on cryptocurrency swapping.
Clues Pointing to the Developer’s Background
Analysis of the extension’s source code revealed Russian-language comments, suggesting the developer is likely a Russian speaker.
A Global Risk to Millions of Users
MEXC operates in over 170 countries and serves millions of users, significantly amplifying the potential impact of this attack.
Recommended Defensive Measures
Socket researchers advised users to audit browser extensions, remove suspicious tools, rotate API keys regularly, and monitor accounts for unusual activity.
What Undercode Say:
The Browser Extension Threat Is Maturing
This incident highlights a clear evolution in browser-based attacks. Threat actors are no longer relying on crude phishing links or malware downloads. Instead, they are embedding themselves directly into trusted platforms like official extension stores.
API Keys Are the New Passwords
Cryptocurrency exchanges increasingly rely on API keys for automation, but many users treat them casually. This case proves API keys can be even more dangerous than passwords when misused, especially with withdrawal permissions enabled.
UI Manipulation Is a Silent Weapon
The use of CSS to hide permission states represents a sophisticated form of deception. Users visually confirmed that withdrawals were disabled, yet the server accepted the permission as active. This breaks the fundamental trust between user interface and backend reality.
Two-Factor Authentication Is Not a Silver Bullet
Even with two-factor authentication enabled, users were compromised. The attack did not bypass 2FA; it waited for users to complete it legitimately, then harvested the authorized credentials.
Telegram Remains a Criminal Command Hub
Telegram’s role as a command-and-control channel continues to grow in cybercrime operations. Its ease of automation and relative anonymity make it attractive for credential exfiltration and account management.
The Chrome Web Store Trust Gap
The fact that this extension remained available despite warnings raises serious questions about the effectiveness of automated and manual review processes in extension marketplaces.
Brand Imitation as a Social Engineering Tool
By presenting itself as a trading automation solution, the extension exploited a popular crypto narrative: passive income through bots. This psychological hook lowered user skepticism.
Russian-Speaking Developer Patterns
The presence of Russian comments does not confirm nationality, but it aligns with known patterns in financially motivated cybercrime groups operating in cryptocurrency ecosystems.
The Scale of Potential Damage
With MEXC serving users globally, even a small installation base could translate into millions of dollars in stolen assets, especially during volatile market conditions.
Why Traditional Antivirus Failed
No executable malware was installed on the system. The extension used legitimate browser APIs and DOM manipulation, making it nearly invisible to endpoint security tools.
Extension Permissions Are Often Ignored
Many users approve browser permissions without reading them. This behavior enables malicious extensions to operate freely once installed.
API Automation Is a High-Risk Convenience
Automation increases efficiency but also multiplies risk. Any compromised automation layer becomes a direct pipeline to user funds.
Exchanges Share Responsibility
While the extension is malicious, exchanges could improve API dashboards by implementing server-side warnings for dangerous permission combinations.
Education Is Still the Weakest Link
Technical safeguards matter, but user awareness remains critical. Most victims did nothing “wrong” except trust a tool that appeared legitimate.
This Attack Will Be Replicated
The technique used here is effective, low-cost, and scalable. It is almost certain that similar extensions targeting other exchanges will appear.
Fact Checker Results
Extension Availability Status
The extension was publicly listed on the Chrome Web Store at the time of discovery, confirming distribution through a trusted platform ✅
Technical Validity of the Attack
The described CSS manipulation and API key exfiltration methods align with known browser extension capabilities ✅
Attribution Indicators
Russian-language code comments suggest, but do not definitively prove, the developer’s background ❌
Prediction
Increased Scrutiny on Crypto Extensions 🔮
Extension marketplaces will face mounting pressure to improve review processes for financial and crypto-related tools.
API Permission Models Will Change 🔐
Exchanges are likely to redesign API permission systems to make withdrawal access harder to obscure or misuse.
More Browser-Based Crypto Attacks Ahead ⚠️
As users grow wary of phishing, attackers will increasingly target browser extensions as the next high-yield attack surface.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
