Silent Swap Clipper Steals Crypto Via Fake Google Notes Extension

McAfee Labs has identified an active cryptocurrency theft campaign codenamed Silent Swap, which utilizes a malicious browser extension disguised as a Google Notes utility to replace users' cryptocurrency wallet addresses during transactions. The campaign is distributed via unsigned installers, observed in both .NET and Golang formats. Once installed, the extension monitors the clipboard for cryptocurrency wallet addresses. When a user copies an address to their clipboard, the Silent Swap malware intercepts it and replaces it with an attacker-controlled address. This stealthy replacement means that when the user pastes the address to send cryptocurrency, they are unknowingly sending it to the attacker's wallet instead of their intended recipient.

The researchers noted that the extension is particularly insidious because it targets the moment of transaction initiation, a point where users are often less vigilant. The fake Google Notes extension is designed to appear legitimate, potentially tricking users into granting it the necessary permissions to monitor their clipboard activity. The campaign's effectiveness relies on the user's trust in the fake extension and their haste in completing transactions. The attackers aim to exploit the common practice of copying and pasting wallet addresses, a method prone to error and manipulation.

McAfee Labs has not yet disclosed the specific number of users affected or the total value of cryptocurrency stolen. However, the active nature of the campaign and its sophisticated method of operation suggest a significant potential for financial loss. The researchers are advising cryptocurrency users to exercise extreme caution when installing browser extensions, especially those that request broad permissions or mimic popular services. Verifying the legitimacy of extensions through official app stores and checking developer information is crucial. Additionally, users are encouraged to double-check all wallet addresses before confirming any cryptocurrency transactions, even if they believe they have copied the correct one.

This Silent Swap campaign highlights the evolving tactics of cybercriminals in the cryptocurrency space. By leveraging social engineering and deceptive software, attackers can bypass traditional security measures. The use of clipboard hijacking is a well-known technique, but its application within a seemingly benign productivity extension presents a novel threat vector. The McAfee Labs report emphasizes the ongoing need for robust cybersecurity practices and user education to combat these emerging threats.