Open in app

Sign in

Write

Sign in

Web3 Extension Malware — ‘Google Sheets’

Wallet Guard
3 min readAug 20, 2022

--

Co-Authored by:
0xQuit & 0xOhm

There is a new scam going around that leverages a chrome extension to intercept and modify your exchange deposit address & withdrawal requests. This means that even if you double check your addresses, you can still become a victim!

How does it work?/ This malware works by utilizing the content script to modify the website you’re visiting. In the case of this malware we’ve seen @coinbase, @kucoincom, @binance, and @gate_io are affected.

What does it do?/ In the image below you can see when you have this malicious extension downloaded it will modify the content of a website to replace a deposit address with their own.

Below you can see the malicious code injection changing the deposit address.

Original Deposit Address

Details about the malicious extension:

This extension is claiming to be ‘Google Sheets’ on the official chrome store you can see the real extension is called ‘Sheets’ with a completely different icon. Malicious icon shown below

Observations:

We also noticed some Kucoin scripts being blocked however, we’re unsure why. In the image below you can see that nothing external was loaded on the main page.

In the image below you can see code injection on the deposit or withdrawal pages via the ‘Google Sheets’

Following the attacker’s address:

via @SlowMist_Team’s Misttrack Application

Hacker Wallet #1 [0x47db355dbb2d11ab65df6a79a9b4e0a2cdad3ba7] ← receives a transaction from the original hacker address [0x11a2cDBcaB651553C406c5a8364FD63A030Bf2D3]

Hacker Wallet #2 [0x7483a733c05a52e474fd190a5b28cff08f31d853] ← receives a transaction from the original hacker address [0x11a2cDBcaB651553C406c5a8364FD63A030Bf2D3]

In the image below you can see the transactions taking place around the hacker’s address.

Conclusions:

Extensions can be extremely dangerous if you’re not familiar with them or if they’re not from a well known vendor. Extensions can be leveraged to change the way you view a website.

This was downloaded via cracked software. ← don’t try to take shortcuts

For more info about Wallet Guard and what we do visit: https://walletguard.app!

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Cybersecurity
Web3
Crypto
Malware
Chrome

--

--

Wallet Guard
Wallet Guard

Written by Wallet Guard

270 Followers
16 Following

Follow us on Twitter for Web3 security tips and news https://twitter.com/wallet_guard

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams