Chrome extension contains malicious code to steal encrypted wallet private key

A Google Chrome extension was found to have injected JavaScript code into the web to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals. The extension, called Shitcoin Wallet (Chrome Extension ID: ckkgmcceffnbbalkm bbgebbogggggffn), was launched on December 9.

据介绍,Shitcoin Wallet 允许用户管理以太(ETH)币,也可以管理基于以太坊 ERC20 的代币-通常为 ICO 发行的代币(初始代币发行)。用户可以从浏览器中安装 Chrome 扩展程序并管理 ETH coins 和 ERC20 tokens;同时,如果用户想从浏览器的高风险环境之外管理资金,则可以安装 Windows桌面应用。

However, Harry Denley, director of security for the MyCrypto platform, recently discovered that the extension contained malicious code.

According to Denley, there are two risks to the extension for users. First, any funds managed directly within the extension (ETH coins and ERC0-based tokens) are at risk. Denley says the extension sends the private keys of all wallets created or managed through its interface to erc20wallet. tk’s third-party website.

Chrome extension contains malicious code to steal encrypted wallet private key

Second, the extension also proactively injects malicious JavaScript code when users navigate to five well-known and popular cryptocurrency management platforms. This code will steal login credentials and private keys and send data to the same erc20wallet. tk third-party websites.

Based on the analysis of malicious code, the process is as follows:

Users install Chrome extensions

Chrome Extender Requests Permission to Inject JavaScript (JS) Code on 77 Websites

When the user navigates to any of these 77 sites, the extension loads and injects an additional JS file from the following locations: https://erc20wallet. tk/js/content_.js

This JS file contains confusing code . . . . . . . . . . . . . . . . . . . . . . . . .

The code is activated on five websites:, Idex.Market,,, and

Once activated, the malicious JS code logs the user’s login credentials, searches the private key stored in the dashboards of the five services, and finally sends the data to erc20wallet. tk 

It is not clear whether the Shitcoin Wallet team is responsible for malicious code, or whether the Chrome extension was corrupted by a third party.


Add a Comment

Your email address will not be published. Required fields are marked *