jorjortan142
jorjortan142 is a threat actor handle linked by Socket’s Threat Research Team to the malicious Chrome extension “MEXC API Automator,” published to the Chrome Web Store on September 1, 2025. The extension targeted users of the MEXC cryptocurrency exchange and was presented as a tool for trading automation and API key creation. According to the reporting, it activated on MEXC’s API management page, programmatically created API keys inside the victim’s authenticated browser session, enabled broad permissions including withdrawals, and manipulated the UI so withdrawal access appeared disabled while remaining enabled server-side. It then scraped the newly generated Access Key and Secret Key from the page and exfiltrated them via HTTPS to attacker-controlled Telegram infrastructure using a hardcoded bot token and chat ID. Socket assessed the extension as malware and stated the stolen API credentials could be used to execute trades and automated withdrawals, potentially draining victim funds without stealing passwords or bypassing 2FA. The activity is associated with the alias jorjortan142, and the reporting also states the same handle appeared on X as @jorjortan142 with the display name “sushi.crypto,” linked to SwapSushi-branded infrastructure including t[.]me/swapsushibot and swapsushi[.]net. Russian-language inline comments were noted in the code, suggesting a Russian-speaking developer, but no country-level attribution was made in the content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- crypto
Associated malware families
1 malware family attributed to this actor across reporting.
Observables
2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Associated with a malicious Chrome extension (“MEXC API Automator”) that performs in-browser account takeover of MEXC users by silently creating/scraping API keys with trading and withdrawal permissions and exfiltrating them to attacker-controlled Telegram infrastructure.
Operates a malicious Chrome extension (“MEXC API Automator”) distributed via the Chrome Web Store to steal newly-created MEXC exchange API keys (including withdrawal permissions) by automating key creation inside an authenticated session, deceptively hiding the withdrawal permission in the UI, and exfiltrating the API key/secret to a hardcoded Telegram bot for subsequent account takeover and fund theft. The same operator is moderately confidently linked to “SwapSushi” branded Telegram/X/YouTube infrastructure.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.