A compromised version of the popular Chrome proxy extension SwitchyOmega has been caught stealing private keys from cryptocurrency wallets, putting over 500,000 users at risk, cybersecurity firm SlowMist has warned.
The breach reportedly originated from a phishing attack targeting an employee at Cyberhaven, an AI-powered data security company. According to a March 12 report by SlowMist, the attackers sent a deceptive email claiming that Cyberhaven’s browser extension violated Google’s policies and was at risk of removal unless immediate action was taken.
Exploiting this phishing attempt, the attackers gained access to Cyberhaven’s OAuth credentials, allowing them to inject malicious code into SwitchyOmega and upload a compromised version (24.10.4) to the Chrome Web Store. As the extension auto-updated, unsuspecting users installed the infected version, unknowingly exposing their private keys and mnemonic phrases.
While it’s unclear how many of the 500,000 affected users were directly compromised, SlowMist has urged users to verify their installed extension IDs against the official version to ensure they are not using the tainted release.
This incident is part of a growing trend of cyber threats targeting crypto traders through browser extensions. In September 2024, analysts at Group-IB reported that Lazarus Group, a North Korean hacking syndicate notorious for attacking the crypto industry, had ramped up its focus on browser extensions and fake video apps to infiltrate the digital asset sector.
With cybercriminals increasingly exploiting browser-based vulnerabilities, SlowMist recommends that crypto users regularly audit their installed extensions, enable two-factor authentication, and avoid clicking suspicious links to mitigate risks.
Adding to the growing wave of cyber threats, North Korea’s state-backed hacking group, Lazarus, recently launched a fresh supply chain attack, deploying six malicious npm packages to steal credentials and siphon cryptocurrency data. The Socket Research Team uncovered the campaign, revealing that the hackers used BeaverTail malware to infiltrate developers’ systems and extract sensitive information.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”