AdsPower Browser Extension Supply Chain Attack Drains $4.7 Million From Crypto Wallets

The cryptocurrency community faces yet another stark reminder that threats do not always come from external attackers breaching smart contracts or phishing for seed phrases. Sometimes, the very tools designed to protect users become the attack vector. In January 2025, AdsPower — a widely used anti-detect browser popular among cryptocurrency traders and digital marketers — suffered a devastating supply chain compromise that resulted in approximately $4.7 million in stolen digital assets from user wallets.

The Exploit Mechanics

The attack was not a conventional phishing campaign or a brute-force intrusion. Instead, it represents a textbook supply chain compromise targeting AdsPower’s browser extension update pipeline. The attackers first gained access to AdsPower’s internal systems responsible for distributing extension updates. The exact method of initial access remains undisclosed, but once inside, the attackers embedded malicious JavaScript code within a legitimate-looking extension update.

The malicious payload was designed for stealth. It did not alter the visible behavior of the browser or any installed extensions. Instead, it silently monitored for interactions with cryptocurrency wallet extensions — including MetaMask, Phantom, and Coinbase Wallet — and extracted private keys, seed phrases, wallet passwords, and transaction signing data. This sensitive information was then transmitted to attacker-controlled servers.

Because modern browsers automatically apply extension updates, the malicious code was pushed to all active AdsPower installations without requiring any user interaction. The attack was entirely passive from the user’s perspective. Anyone with crypto wallet extensions installed within their AdsPower profiles was potentially compromised.

Affected Systems

The breach primarily affected AdsPower users who managed cryptocurrency wallets through the browser’s profile system. Anti-detect browsers like AdsPower are popular among crypto traders who operate multiple accounts across exchanges and DeFi platforms. These users often keep wallet extensions installed within browser profiles for convenience, making them especially vulnerable to this type of supply chain attack.

With Bitcoin trading at approximately $103,700 and Ethereum near $3,113 at the time of the breach, the $4.7 million in losses could represent a relatively small number of high-value wallets or a larger number of moderately funded accounts. The scope extended across multiple wallet providers, indicating that the malicious code was designed to be wallet-agnostic rather than targeting a specific provider.

The attack also highlights a broader vulnerability in the anti-detect browser ecosystem. These tools inherently require deep access to browser internals — cookie management, fingerprint spoofing, proxy configuration — which means any compromise of the update pipeline grants attackers access to virtually everything stored within the browser.

The Mitigation Strategy

AdsPower acknowledged the breach and took several remediation steps. The company reverted the compromised extension update and issued a security advisory urging all users to update to version 5.0.10 immediately. Users were also advised to revoke all wallet permissions, transfer remaining funds to new wallets with fresh seed phrases, and enable additional security layers such as hardware wallet integration.

On the infrastructure side, AdsPower implemented enhanced code-signing requirements for extension updates, additional code review processes, and stricter access controls for the update pipeline. While these measures address the specific attack vector used in this incident, security researchers note that the structural vulnerabilities inherent to the anti-detect browser model remain largely unaddressed.

Lessons Learned

This incident offers several critical takeaways for the cryptocurrency community. First, supply chain attacks represent one of the most dangerous threat vectors because they exploit trusted distribution mechanisms. Users have no reason to suspect that a legitimate software update contains malicious code. Second, storing cryptocurrency wallet credentials within any third-party browser — anti-detect or otherwise — introduces significant risk. The convenience of browser-integrated wallets comes at the cost of expanded attack surface.

Third, the incident underscores the importance of hardware wallets for storing significant cryptocurrency holdings. Hardware wallets keep private keys offline and require physical confirmation for transactions, making them immune to browser-based credential theft regardless of how the attack vector is delivered.

User Action Required

If you used AdsPower between January 21 and January 29, 2025, and had cryptocurrency wallet extensions installed within your browser profiles, you should assume your credentials may have been compromised. Immediate steps include updating to AdsPower version 5.0.10 or later, transferring all remaining funds to new wallets with fresh seed phrases, revoking all token approvals and spending limits connected to potentially compromised wallets, and enabling hardware wallet authentication for all accounts where it is supported. Additionally, review transaction history on all previously connected wallets for any unauthorized transfers, and report any suspicious activity to the relevant exchanges and law enforcement.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding cryptocurrency protection strategies.