Silent Swap Malware Uses Fake Browser Extension to Steal Cryptocurrency

Related

U.S. Treasury Lifts Sanctions on Crypto Wallets

What happened U.S. Treasury sanctions were lifted after the Department...

OpenVSX Developers Targeted with Crypto-Stealing Worms

What happened OpenVSX developers were targeted with crypto-stealing worms designed...

Grubhub Email Crypto Scam Promises 10× Bitcoin Return

What happened A Grubhub email crypto scam saw fraudulent emails...

5 CISOs to Watch in the Crypto Industry

The crypto industry faces non stop attacks and rapid...

Police Shut Down CryptoMixer: What CISOs Need To Know

What happened Europol and several national police units seized the...

Share

What happened

Researchers at McAfee Labs have uncovered an active cryptocurrency theft campaign called Silent Swap, which uses a malicious browser extension to silently replace cryptocurrency wallet addresses copied by victims before they complete a transaction.

The campaign is distributed through unsigned installers that deploy a fake Google Notes extension on Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi. The malware modifies protected browser settings to install the extension without going through the official extension store.

Once installed, the extension requests access to the clipboard, browsing history, and all websites. When a user copies a cryptocurrency wallet address, Silent Swap intercepts it and replaces it with an attacker-controlled address. Because blockchain transactions cannot typically be reversed, victims may permanently lose their funds.

McAfee also found that the campaign shares infrastructure and techniques with the earlier CountLoader malware. One notable feature is its use of EtherHiding, which leverages blockchain technology to retrieve updated command-and-control server information, making the malware more resilient against takedowns.

Researchers observed infections worldwide, with the highest concentration reported in India, followed by the United States, Brazil, Indonesia, and Spain.

Who is affected

The campaign primarily targets individuals and organizations that conduct cryptocurrency transactions using Chromium-based browsers. Employees involved in finance, digital asset management, or cryptocurrency operations face the greatest risk if compromised endpoints are used for transactions.

Organizations that allow unrestricted browser extensions or have limited endpoint monitoring may also be more vulnerable to this type of attack. Because the malware installs itself silently and maintains persistence across browser restarts, infections may remain unnoticed for extended periods.

Why CISOs should care

Silent Swap demonstrates how browser extensions continue to evolve into an effective attack vector. Rather than stealing credentials directly, attackers manipulate legitimate user actions by changing wallet addresses at the final stage of a transaction.

The campaign also highlights increasingly sophisticated persistence techniques. By modifying browser security files and using blockchain-based infrastructure for command-and-control updates, attackers can evade traditional detection methods and quickly rotate their infrastructure.

For organizations handling digital assets, this serves as a reminder that browser security is now a critical component of endpoint protection and financial risk management.

3 practical actions

  • Restrict browser extension installations to approved sources and disable developer mode where possible through enterprise policies.
  • Monitor endpoints for unauthorized browser configuration changes, clipboard access, and unexpected extension installations.
  • Require independent verification of cryptocurrency wallet addresses before authorizing transactions, especially for high-value transfers.
1524023125746
+ posts