A recent discovery by researchers highlights a security flaw in the popular Chrome extension SwitchyOmega, which could lead to the theft of users’ private keys.
According to analysts, a corrupted version of the SwitchyOmega proxy extension has been capturing private keys from cryptocurrency wallets, putting more than 500,000 users in jeopardy.
The breach initiated when a phishing email was directed at an employee of Cyberhaven, a data security company leveraging AI. This email falsely claimed that Cyberhaven’s browser extension was in violation of Google’s policies and threatened to remove it unless urgent action was taken, as detailed in a report from March 12.
Experts indicated that the attacker leveraged OAuth credentials to gain access to the Cyberhaven account, allowing them to upload the modified version of the extension (24.10.4). As users updated the extension, they inadvertently installed the malicious code.
The malicious extension was reported to have the capability to extract sensitive information, including private keys and mnemonic phrases from cryptocurrency wallets. However, it is still uncertain how many of the 500,000 affected users may have fallen victim to the exploit. Analysts recommend that users verify the installed extension IDs to confirm they correspond with the legitimate version.
Browser extensions have long been a target for malicious actors attempting to exploit crypto traders.
In September 2024, a cybersecurity firm highlighted that the infamous Lazarus Group, a North Korean hacking organization recognized for its advanced cyber strategies against the cryptocurrency sector, has escalated its focus on crypto professionals and developers through deceptive video applications and by extending its reach into browser extensions.