In a stark reminder of the ever-present dangers lurking in the digital realm, cybersecurity researchers have unearthed a sophisticated malicious Google Chrome extension designed to pilfer API keys from users of MEXC, a prominent centralized cryptocurrency exchange (CEX).
The Deceptive ‘MEXC API Automator’
Dubbed “MEXC API Automator” (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh), this seemingly innocuous browser add-on masquerades as a legitimate tool for automating trading on the MEXC platform. Despite its sinister purpose, the extension, which has garnered 29 downloads, remained available on the Chrome Web Store at the time of the report. It was initially published on September 1, 2025, by a developer operating under the alias “jorjortan142.”
A Silent Takeover: How API Keys Are Compromised
The mechanism of compromise is both cunning and alarming. As detailed by Socket security researcher Kirill Boychenko, the extension operates by programmatically generating new MEXC API keys. Crucially, it enables withdrawal permissions for these keys, a critical capability for any attacker. To evade detection, it then subtly conceals these activated withdrawal permissions within the user interface (UI), creating a false sense of security for the victim.
Once generated, these highly sensitive API keys and their corresponding secrets are immediately exfiltrated to a hardcoded Telegram bot, which is under the direct control of the threat actor. The Chrome Web Store listing itself deceptively promotes the extension as a tool that “simplifies connecting your trading bot to the MEXC exchange” by generating API keys with necessary permissions, including for trading and withdrawals – precisely the permissions the attackers exploit.
Unfettered Access: The Grave Consequences
The implications of this breach are severe. With the installed extension, threat actors gain complete control over any MEXC account accessed from the compromised browser. This allows them to execute trades, initiate automated withdrawals, and, most critically, drain wallets and balances accessible through the service. The attack leverages an already authenticated browser session, circumventing the need for passwords or traditional authentication bypasses.
“In practice, as soon as the user navigates to MEXC’s API management page, the extension injects a single content script, script.js, and begins operating inside the already authenticated MEXC session,” Socket researchers explained. The script specifically targets the “/user/openapi” URL, where API keys are managed. It then creates a new API key, ensures withdrawal capabilities are active, and manipulates the UI to hide this permission. Upon completion, the Access Key and Secret Key are swiftly transmitted to the attacker’s Telegram bot via an HTTPS POST request.
The Persistent Threat
What makes this threat particularly insidious is its persistence. The stolen keys remain active and functional as long as they are valid and not revoked. This grants attackers unfettered access to the victim’s account, even if the user eventually uninstalls the malicious extension from their Chrome browser. As Boychenko succinctly put it, “In effect, the threat actor uses the Chrome Web Store as the delivery mechanism, the MEXC web UI as the execution environment, and Telegram as the exfiltration channel.”
Tracing the Digital Footprints
While the full identity of the perpetrators remains elusive, a reference to “jorjortan142” points to an X (formerly Twitter) handle of the same name. This handle, in turn, links to a Telegram bot named “SwapSushiBot,” which is also actively promoted across TikTok and YouTube channels created as recently as August 17, 2025, suggesting a relatively new but coordinated operation.
Beyond MEXC: A Broader Warning for Crypto Users
This incident serves as a critical warning for the wider cryptocurrency ecosystem. Socket researchers caution that “the same playbook can be readily adapted to other exchanges, DeFi dashboards, broker portals, and any web console that issues tokens in session.” Future iterations of such attacks are likely to feature heavier obfuscation, demand broader browser permissions, and potentially bundle support for multiple platforms into a single, more dangerous extension.
Users are urged to exercise extreme caution when installing browser extensions, particularly those promising to simplify or automate cryptocurrency trading. Always verify the legitimacy of developers and be wary of granting extensive permissions. Regularly review and revoke API keys, especially if you suspect any unauthorized activity.
Stay informed and protect your digital assets. Follow us on Google News, Twitter, and LinkedIn for more exclusive cybersecurity insights and updates.
For more details, visit our website.
Source: Link
Leave a comment