Chrome extension found stealing crypto-wallet private keys


A Google Chrome extension named Shitcoin Wallet was found to be injecting JavaScript code on web pages to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals.

This extension which was launched on December 9 lets users manage Ether (ETH) coins and also Ethereum ERC20-based tokens — tokens usually issued for ICOs (initial coin offerings).

The users can install the Chrome extension and manage ETH coins and ERC20 tokens from within their browser. They can also install a Windows desktop app, if they wish to manage their funds from outside the browser.

But the Shitcoin wallet app was not doing what it was supposed to be doing. Harry Denley, Director of Security at the MyCrypto platform, found that the extension contained malicious code.

According to him, the extension is dangerous to users in two ways. First one is that any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.

The extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet[.]tk.

Secondly, the extension also actively injects malicious JavaScript code when users navigate to five well-known and popular cryptocurrency management platforms. This code steals login credentials and private keys, data that it’s sent to the same erc20wallet[.]tk third-party website.

On analysis of the malicious code, the process takes place as

  • Users install the Chrome extension
  • The extension requests permission to inject JavaScript (JS) code on 77 websites
  • When users navigate to any of these 77 sites, the extension loads and injects an additional JS file from: https://erc20wallet[.]tk/js/content_.js
  • This JS file contains obfuscated code
  • The code activates on five websites:, Idex.Market,,, and
  • After activating the malicious JS code records the user’s login credentials, searches for private keys stored inside the dashboards of the five services, and, eventually sends the data to erc20wallet[.]tk

It is however not clear whether the Shitcoin Wallet team is responsible for the malicious code, or if the Chrome extension was compromised by a third-party.

On the extension’s official website, 32-bit and 64-bit installers were also made available to users. On scanning with VirusTotal, both the files are found to be clean.

But according to various comments posted on the wallet’s Telegram channel, the desktop apps might contain similar malicious code, if not worse.

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Mariah Carey’s Twitter Hacked on New Year’s Eve

    Previous article

    Poloniex forces password reset after a data leak

    Next article

    You may also like

    More in Malware


    Leave a reply

    Your email address will not be published. Required fields are marked *