Taking advantage of cryptocurrency owners attackers have once again deployed a malicious tool online. This time, they have guised their vector as a crypto wallet browser extension, Shitcoin Wallet. It appears as a simple browser add-on, but it actually is a crypto stealer.
What Shitcoin Wallet Extension Claims?
The app named Shitcoin Wallet surfaced online recently. According to a (supposed) official blog post on Medium, the Shitcoin Wallet is actually an Ethereum wallet. The blog further claims that the app is basically a web wallet with many browser extensions.
Regarding how it “serves” the users, the blog reads,
Being an Ethereum wallet means you can use it for managing, transferring, receiving your Ethers but also can use this wallet to interact with thousands of ERC20 tokens that thrive on the Ethereum blockchain.
The officials further warrant complete privacy to the users by providing a simple wallet address. Then, it also assures that the private key of the wallet remains secure as it stores on users’ local PC.
Your wallet is 100% secure and you don’t need to worry about assets loss due to any hacker attack to ShitcoinWallet servers.
What Shitcoin Actually Does?
The tool is available as a browser extension – that too – for Chrome only. This is in contrast with its claim of supporting multiple browsers. Though, they have recently launched a desktop app for Windows as well.
The Director of Security at MyCrypto, Harry Denley, has also noticed malicious code existing in the extension. According to his findings, the extension actually steals crypto from popular platforms by injecting malicious JS code. He disclosed these findings in a tweet.
Extension-native wallet create also sends secrets to their backend!
Bad guys: erc20wallet[.]tk
ExtensionID: ckkgmccefffnbbalkmbbgebbojjogffn pic.twitter.com/TE2iw5d8Md
— harrydenley.eth ◊ (@sniko_) December 31, 2019
In brief, the extension, after installation, fetches malicious JS files from a remote server and injects it to target websites. According to ZDNet, the extension has 77 websites on its target list, to which, it injects the code whenever a user visits any of them.
The code then activates on five different platforms, MyEtherWallet, Binance, Idex.Market, NeoTracker, and Switcheo.exchange. From there, it steals users’ login credentials and private keys that it stores on its remote server.
Crypto users must avoid this extension
Let us know your thoughts in the comments.