Listen to this Post
Introduction
A newly discovered malicious Google Chrome extension is putting cryptocurrency traders at serious risk by secretly hijacking their MEXC exchange accounts. Disguised as a legitimate automation tool, the extension quietly steals sensitive API credentials, granting attackers full control over victims’ funds. This incident exposes dangerous gaps in browser security and highlights how cybercriminals are exploiting trusted platforms like the Chrome Web Store to carry out financial crimes.
the Original
Cybersecurity researchers have revealed a malicious Chrome extension called MEXC API Automator that targets users of the MEXC cryptocurrency exchange, which operates in over 170 countries. The extension, identified by the ID pppdfgkfdemgfknfnhpkibbkabhghhfh, claims to help traders automate their strategies. However, behind the scenes, it performs a far more sinister function.
Published on September 1, 2025, by a developer using the name “jorjortan142,” the extension has been downloaded 29 times and remains available on the Chrome Web Store. According to Socket security researcher Kirill Boychenko, the add-on automatically generates new MEXC API keys, secretly enables withdrawal permissions, and hides these changes from users by manipulating the interface.
Once users visit the MEXC API management page, the extension injects a script that operates within their authenticated session. This allows it to create new API keys without triggering suspicion. While the user believes withdrawal access is disabled, the extension ensures it remains active.
After generating the Access Key and Secret Key, the extension immediately sends them to a hard-coded Telegram bot controlled by the attacker. This transmission happens via an encrypted HTTPS request, ensuring stealthy data exfiltration.
The danger persists even if the victim uninstalls the extension. As long as the stolen API keys remain valid, attackers retain access to the account, enabling them to trade, withdraw funds, and drain wallets at will.
Researchers emphasize that this method avoids traditional login attacks. Instead of stealing passwords, attackers abuse an already authenticated browser session. The Chrome Web Store acts as the delivery mechanism, the MEXC interface as the execution environment, and Telegram as the data exfiltration channel.
While the identity of the attacker remains unknown, clues link “jorjortan142” to an X (Twitter) account promoting a Telegram bot named SwapSushiBot, which is also advertised on TikTok and YouTube. The YouTube channel associated with it was created on August 17, 2025.
Socket warns that this technique could easily be adapted to target other exchanges, DeFi dashboards, and financial platforms. Future versions may include heavier obfuscation, broader permissions, and support for multiple platforms within a single extension.
What Undercode Says:
This incident exposes a terrifying evolution in crypto-focused cybercrime. Instead of brute-force hacking or phishing emails, attackers are now weaponizing browser extensions—tools that users inherently trust. The most alarming aspect is not just the theft, but how quietly it happens.
By exploiting an already logged-in browser session, criminals bypass passwords, two-factor authentication, and even hardware security keys. This is a surgical attack on trust itself. Users think they are installing a productivity tool, but in reality, they are handing over the keys to their financial kingdom.
The manipulation of the user interface is especially dangerous. Victims visually confirm that withdrawal permissions are disabled, yet the extension secretly flips the switch behind the scenes. This psychological deception removes any chance for users to detect suspicious behavior.
Another critical issue is Chrome Web Store vetting. The fact that this extension passed moderation raises serious concerns about Google’s review process. If such a blatant credential-stealing tool can slip through, how many more are already active?
The use of Telegram as an exfiltration channel shows how cybercriminals favor platforms that are encrypted, anonymous, and easy to automate. This is becoming a standard pattern in modern malware operations.
What makes this attack devastating is persistence. Even after removing the extension, victims remain compromised unless they manually revoke API keys. Many users don’t even know such keys exist, let alone how to disable them.
This case also demonstrates a broader threat to Web3 infrastructure. API keys are the backbone of automated trading, DeFi bots, and portfolio managers. Stealing them is far more powerful than stealing passwords.
We are also seeing social media manipulation at play. The attacker’s presence on TikTok and YouTube suggests an effort to lure victims through influencer-style marketing, blending scams with entertainment.
From a security standpoint, exchanges must rethink API management. Real-time alerts for new API keys, default withdrawal blocks, and mandatory IP whitelisting should be standard.
For users, the lesson is brutal but clear: never trust browser extensions, especially those related to finance. Check developer history, reviews, and permissions carefully.
This attack will not be the last. The technique is simple, effective, and highly profitable. Expect copycats targeting Binance, Coinbase, Kraken, and DeFi dashboards next.
Ultimately, this breach proves that the weakest link in cybersecurity is still human trust. Criminals don’t need zero-day exploits when social engineering and fake tools work just as well.
🔍 Fact Checker Results
✅ The extension exists on the Chrome Web Store and targets MEXC users.
✅ Researchers confirmed API keys are exfiltrated via Telegram.
❌ No official response from Google or MEXC has been publicly documented yet.
📊 Prediction
Cybercriminals will rapidly replicate this model to target other crypto exchanges and DeFi platforms. Browser extensions will become a primary attack vector in 2026, forcing Google to tighten extension policies and exchanges to redesign API security systems.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
