Researchers have uncovered a breach in a widely-used Chrome extension SwitchyOmega that exposes users to private key theft.
A compromised version of the Chrome-based proxy extension SwitchyOmega has been stealing private keys from crypto wallets, putting over 500,000 users at risk, analysts at SlowMist warn.
The breach started when a phishing email targeted a Cyberhaven employee, an AI-powered data security company, resulting in the injection of harmful code into the extension. The phishing email falsely claimed that Cyberhaven’s browser extension violated Google‘s policies and threatened removal unless immediate action was taken, a March 12 research report shows.
SlowMist explained that the attacker used OAuth to access the Cyberhaven account, enabling them to upload the compromised extension version (24.10.4). As the extension was updated, users unknowingly installed the malicious code.
The malicious version of the extension appears to have been capable of stealing sensitive data, including private keys and mnemonic phrases from crypto wallets. It remains unclear though how many of the 500,000 affected users were exposed to the exploit. Analysts at SlowMist have advised users to check the installed extension IDs to ensure they match the official version.
Attacks on crypto traders through browser extensions aren’t anything new as bad actors have been trying to exploit them for a while now.
In September 2024, analysts at cybersecurity firm Group-IB revealed that the notorious North Korean hacking gang Lazarus Group, known for its sophisticated cyber campaigns against the crypto industry, has intensified its efforts to target crypto professionals and developers through fake video apps and expanding its targeting of browser extensions.
