Bitstamp Uncovers Bitcoin-Stealing Chrome Extension

The Slovenia-based Bitcoin trading platform, Bitstamp, revealed in a Tweet that it had uncovered a Google Chrome extension that replaced all QR codes
The Slovenia-based Bitcoin trading platform, Bitstamp, revealed in a Tweet that it had uncovered a Google Chrome extension that replaced all QR codes

The Slovenia-based Bitcoin trading platform, Bitstamp, revealed in a Tweet that it had uncovered a Google Chrome extension that replaced all QR codes. It linked to Bitcoin addresses and then linked to the thief’s wallet. This is not the first time criminals have attempted to steal Bitcoin via Google Chrome extensions.

Malicious Extension

On March 11, Bitstamp released a Tweet that said it had discovered a Google Chrome extension called ‘BitcoinWisdom Ads Remover’ that “will try to steal your Bitcoin”:

Members of the Bitcoin community were quick to investigate the claims, with Devon Weller, a cryptocurrency web app developer saying:

“Confirmed. I looked at the source code. It replaces QR code images on bitcoin exchanges with its own addresses.”

Reddit Investigates

Further investigation by Reddit user, /u/methamphetaminic, revealed some interesting developments. They discovered that the browser extension had about 200 bitcoin addresses hard-coded into it, but only 3 transactions had made their way to the scammer’s wallet; payments of 0.00433517 BTC from 1FosyhE1WvDxTBjA6e4a8N6yJ5MkZgDgUZ, 0.00186735 BTC from 1ExHFeLBKxmqtfi5mEd6ov6a5vBaBuHCYH, and of 0.07805963 BTC from 1MaUiURfN7pytCTC1FnHRSZ13N6AzXVszp, all of which took place in July 2015.

The Redditor surmised that these were probably test payments by the scammer to ensure his payment system worked. They also suggested that, given the lack of transactions going into the scammer’s wallet, the scamming operation can’t have been all that successful or profitable.

Interestingly, something not seen in previous Google Chrome extension scams, the extension didn’t simply try to replace all addresses and QR codes with the the scammer’s, but instead only targeted addressed on sites including bitstamp.net, btc-e.com, and hasnest.com. Some have suggested that the scammer probably had some personal grievance against one or more of these sites, and such wanted petty revenge. This Redditor in particular theorised that it could be “somebody who hates ads on bitcoinwisdom, [or] maybe a miner who also deals with bitstamp and btc-e in particular.”

Chrome Extension Scams

This is far from the first time that scammers have tried to steal users’ Bitcoin using Google Chrome extensions. In April 2014, an extension entitled ‘Cryptsy Dogecoin Live Ticker’ released an update to its semi-popular chrome extension that had code in in that rerouted Bitcoin transactions again to the scammer’s wallet instead of the intended recipient. The extension, developed by TheTrollBox, was quickly removed from the Chrome Store by Google, along with the developer’s 21 other extensions, which were all various variations on the ‘Live Ticker’ name.