Look out for the Shitcoin Wallet Chrome extension that steals crypto wallet private keys and passwords

Look out for the Shitcoin Wallet Chrome extension that steals crypto wallet private keys and passwords

  • The extension requests permission to inject JavaScript code on 77 websites.
  • When the user navigates to one of these 77 websites, the extension loads an additional JS file from https://erc20wallet[.]tk/js/content_.js.

Security researchers have uncovered a malicious Google Chrome extension named Shitcoin Wallet that steals passwords and private keys from cryptocurrency wallets and portals.

What was Shitcoin Wallet meant for?

According to an introductory blog post, Shitcoin Wallet lets users connect to the Ethereum blockchain. Launched on December 9, the extension was designed to allow users to create their own wallet on the local terminals and communicate with other blockchain networks.

What is the new discovery?

Unlike its actual job, Shitcoin Wallet is found to contain malicious code, as informed by Harry Denley, Director of Security at the MyCrypto platform and reported by ZDNet.

According to the analysis of the malicious code, the process goes as follows:

  • The user installs the Chrome extension.
  • The extension requests permission to inject JavaScript code on 77 websites.
  • When the user navigates to one of these 77 websites, the extension loads an additional JS file from https://erc20wallet[.]tk/js/content_.js.
  • This JS file contains obfuscated code and activates on five websites, namely ‘MyEtherWallet.com,’ ‘Idex.Market,’ ‘Binance.org,’ ‘NeoTracker.io,’ and ‘Switcheo.exchange.’
  • Once activated, the malicious JS code records the user’s password, searches for private keys stored inside the dashboards of the five services and finally sends the data to erc20wallet[.]tk.

Bottom line

The extension has around 621 installs and it is unclear if the developers of the Shitcoin Wallet are responsible for the malicious code or if the Chrome extension was compromised by a third-party.