The user conjectured in a series of posts on X that the malicious extensions with the names "Sync test BETA (colorful)" and "Simple Game" might have included Keyloggers that target particular wallet extension apps.

Cybercriminals use malicious programs called keyloggers to log every keystroke made on a target's computer. As a result, the attackers can obtain private data from the victim's PC.

The customer claims that after Google Chrome published an update last month, the problem first became apparent. After Windows published a PC update, the user—who had been putting off the Chrome update—had to restart their computer.
 

It's interesting to note that after the restart, which happens frequently when installing operating system updates, the user's Chrome extensions were all removed, along with all of their tabs. The customer was compelled to reenter all of their Chrome login information as well as their bitcoin wallet seed phrases as a result.

According to the user's speculation, this is when the keylogger was used to access their private data. Three weeks following this incident, the monies were apparently depleted. Furthermore, after restarting, the user did not observe any strange activity in their browser.
 

"There were no problems found when I tested my virus scanner. No other strange extensions showed up. I then imported my seed phrases again," the user wrote.

The user didn't become aware of the two malicious extensions on their PC until much later, during an examination. Moreover, Google Translate was configured in their browser to translate text automatically into Korean.


According to the most recent update, the attackers allegedly transferred the money to Gate.io, which is domiciled in the Cayman Islands, and the MEXC exchange, which is based in Singapore.

The investigation revealed that the Sync test BETA (colorful) extension was a keylogger, even if the user was still unclear about how exactly their Chrome browser was hacked. According to reports, the plugin was transmitting data to a PHP script on an external website. When the attacker's website is manually accessed, all that is displayed is the word "Hello" on a blank page. The user further mentioned that the "Simple game" extension was "checking if tabs are updated/open/closed/refreshed."

Sell When Over said, "This is a $800k costly mistake — lesson is to wipe the entire PC first if anything seems off to the point where it prompts you to input a seed."
 

Both extensions were missing from the Chrome Web store at the time of publication.

For years, the Bitcoin industry has been plagued by malicious extensions for Google Chrome. Cybersecurity researchers found in a 2023 study that hackers were using a piece of chrome malware called Rilide to take advantage of unwary users and steal cryptocurrency and other data. The malware was used to install malicious browser extensions that may steal cryptocurrency.

As Crypto.news has previously reported, in late 2022, another piece of Windows malware was found. It stole clipboard data and cryptocurrency via Google Chrome addons. The extensions have the ability to alter HTML on websites so that they show the real user funds in a wallet while silently depleting the wallet.