The 49 browser add-ons, potentially the work of Russian threat actors, were identified (find the list here) by researchers from MyCrypto and PhishFort.
"Essentially, the extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files," explained Harry Denley, director of security at MyCrypto. "Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts."
Although the offending extensions were removed within 24 hours after they were reported to Google, MyCrypto's analysis showed that they began to appear on the Web Store as early as February 2020, before ramping up in subsequent months.
In addition, all the extensions functioned alike, the only difference being the cryptocurrency wallet brands that were impacted — such as Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey — via 14 unique command-and-control (C2) servers that received the phished data.
For instance, MEW CX, the malicious add-on targeting MyEtherWallet, was found capturing the seed phrases and transmitting them to an attacker-controlled server with an intention to drain the victim's wallet of digital funds.
However, funds were not stolen from every account this way. The researchers theorize this could be either because the criminals are after high-value accounts only or that they have to manually sweep the accounts.
Some of the extensions, Denley said, came with fake five-star reviews, thus increasing the chances that an unsuspecting user might download it.
"There was also a network of vigilant users who wrote legitimate reviews about the extensions being malicious — however, it is hard to say if they were victims of the phishing scams themselves, or just helping the community to not download," Denley added.
Data stealing extensions have been a regular occurrence on the Chrome Web Store, leading Google to purge them as soon as they're discovered. Back in February, the company removed 500 malicious extensions after they were caught serving adware and sending users' browsing activity to C2 servers under the control of attackers.
If you suspect you have become a victim of a malicious browser extension and lost funds, it's recommended you file a report at CryptoScamDB.