The intersection of browser-based threats and cryptocurrency theft has reached a new intensity. On May 20, 2025, DomainTools Intelligence revealed that an unknown threat actor has been operating over 100 malicious Chrome browser extensions since February 2024, specifically targeting users of cryptocurrency platforms, banking services, and AI tools. With Bitcoin hovering near $106,791 and Ethereum at $2,524, the potential losses from a single compromised wallet make these extensions among the most dangerous threats facing crypto holders today.
The Threat Landscape
The campaign uncovered by DomainTools represents a sophisticated evolution in browser-based attacks. The threat actor creates convincing websites that masquerade as legitimate services — including impersonations of DeepSeek, Manus, DeBank, FortiVPN, and Site Stats — to direct users to malicious extensions on the Chrome Web Store. These extensions are not simple phishing pages; they are fully functional tools that deliver the advertised features while simultaneously running covert operations to steal credentials, hijack browser sessions, inject advertisements, and execute arbitrary code from attacker-controlled servers.
Core Principles
Protecting yourself starts with understanding how these extensions operate. Each malicious extension requests excessive permissions through its manifest.json file, enabling it to interact with every website visited in the browser. Some extensions use the “onreset” event handler on temporary DOM elements to execute code, a technique specifically designed to bypass Content Security Policy restrictions. The extensions harvest browser cookies, fetch arbitrary scripts from remote servers, and establish WebSocket connections to route traffic through the victim’s browser — effectively turning your computer into a proxy for the attackers.
Tooling and Setup
Building a robust defense requires a multi-layered approach to browser security. Start by auditing your current extensions: navigate to chrome://extensions/ and review every installed add-on. Remove any extension you do not actively use or cannot verify from a trusted developer. Install a dedicated browser profile specifically for cryptocurrency activities — this isolates your wallet extensions from general browsing. Consider using hardware wallets like Ledger or Trezor for any significant holdings, as they keep private keys off your computer entirely. Enable Chrome’s Enhanced Safe Browsing mode, which provides additional warnings about potentially dangerous extensions.
Ongoing Vigilance
The most deceptive aspect of this campaign is that the extensions actually work as advertised. They provide genuine utility while silently exfiltrating data in the background. The threat actor has even manipulated the review system: extensions redirect users who leave low ratings (1-3 stars) to a private feedback form on a controlled domain, while sending users who leave high ratings (4-5 stars) to the official Chrome Web Store review page. This artificially inflates ratings and suppresses negative feedback. Many of the lure websites use Facebook tracking IDs, suggesting the attackers are leveraging Facebook pages, groups, and paid advertisements to drive traffic to their malicious download pages.
Final Takeaway
In an environment where a single compromised extension can drain a wallet worth hundreds of thousands of dollars, browser security is not optional — it is foundational. The 100+ fake extensions identified by DomainTools are likely just the visible portion of a much larger campaign. Google has removed the identified extensions, but new ones will emerge. Your best defense is skepticism: verify every extension against the official developer’s website, scrutinize the permissions it requests, and never trust high ratings alone as proof of legitimacy. With the cryptocurrency market capitalization exceeding $3.4 trillion, the incentives for attackers will only grow.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with cybersecurity professionals.
btc at 106k means a single compromised extension could drain a life changing amount. 15 of your net worth gone because you clicked allow on a fake DeepSeek tool
impersonating DeepSeek and DeBank at the same time. the attackers know exactly which tools crypto users search for
phantom_op_ impersonating DeepSeek and DeBank at the same time. the attackers built fake landing pages that actually functioned just to get the extension installed
The rise in malicious browser extensions really highlights the need for better permission scoping in web3 browsers. Users often blindly click ‘allow’ without realizing they’re giving away full access. This guide is a solid starting point for anyone trying to tighten up their operational security.
users clicking allow without reading is the whole problem. extensions request wallet access and people just approve it like terms of service
the permissions model is fundamentally broken. a calculator extension should never be able to request wallet access
I honestly don’t trust any browser extension for my main stack anymore. It feels like every other week there’s a new vulnerability being exploited. If you aren’t using a hardware wallet to sign every single transaction, you’re basically asking for trouble at this point.
hardware wallet for every tx is the move but most people are too lazy. until a fake extension drains their bag
100+ malicious extensions since feb 2024 and chrome still has no meaningful review process. googles extension store is becoming the new app store for malware
chrome web store review is basically non-existent. they rely on post-install reports which means the damage is already done
Piotr W. 100+ extensions since feb 2024 and google still relies on user reports. the review process is basically non existent