SwitchyOmega Chrome Extension Exploit Exposes Over 2.6 Million Devices to Private Key Theft

The cryptocurrency community faces a chilling reminder that browser extensions, not smart contracts, can be the weakest link in a user’s security chain. Blockchain security firm SlowMist published a detailed report on March 18, 2025, exposing a critical vulnerability in SwitchyOmega, a widely used Chrome proxy-switching extension with over 500,000 downloads. The compromised extension has put the private keys and browser credentials of more than 2.6 million user devices at risk, making it one of the most significant supply-chain attacks targeting crypto users in recent memory.

The Exploit Mechanics

The attack traces back to December 24, 2024, when an employee at Cyberhaven, a data detection company, fell victim to a sophisticated phishing email. The message falsely claimed that Cyberhaven’s browser extension violated Google’s Chrome Web Store policies and faced immediate removal unless urgent action was taken. Under pressure, the employee clicked a phishing link and authorized an OAuth application called “Privacy Policy Extension,” granting the attacker full control over Cyberhaven’s Chrome Web Store account.

Once inside, the attackers uploaded a malicious version (24.10.4) of the Cyberhaven extension containing a worker.js file that connected to a command-and-control server. This file downloaded configuration data and stored it in Chrome’s local storage, while a companion content.js script monitored browser activity. The malicious version went live on December 25 at 01:32 UTC and remained active for 31 hours before being taken down.

The Booz Allen Hamilton investigation revealed that over 30 Chrome extensions suffered similar attacks. SwitchyOmega’s V3 version, which was published under a different developer account than the original V2, was among the compromised extensions. Its popularity among crypto users who rely on proxy configurations for wallet access and DeFi interactions made it an especially attractive target.

Affected Systems

The scale of the compromise is staggering. Over 500,000 downloads of compromised extensions occurred through the Chrome Web Store. Sensitive data from more than 2.6 million user devices was stolen, including browser cookies, saved passwords, and potentially cryptocurrency wallet credentials. Some compromised extensions remained available in the Chrome Web Store for up to 18 months, during which users had little to no indication that their data had been exposed.

For cryptocurrency users specifically, the risk profile is severe. SwitchyOmega is commonly used to route traffic through specific nodes or regions, a practice frequently employed when accessing decentralized exchanges, DeFi protocols, or blockchain explorers. If a user’s private keys or seed phrases were stored in browser-based wallets like MetaMask while the compromised extension was active, attackers could have silently exfiltrated those credentials.

The Mitigation Strategy

SlowMist recommends immediate action for anyone who used SwitchyOmega or any of the affected extensions. First, users should uninstall the compromised extension and verify they are using the official version from the original developer. Second, all passwords stored in the Chrome browser should be changed immediately. Third, any cryptocurrency wallets accessed through the browser during the exposure period should be considered compromised — funds should be migrated to new wallets with fresh seed phrases.

On a broader scale, the incident highlights the dangers of OAuth-based supply-chain attacks. The attackers exploited Google’s own authentication infrastructure to push malicious updates through Chrome’s automatic update mechanism. This means users had no way to prevent the compromise short of disabling automatic extension updates entirely.

Lessons Learned

The SwitchyOmega incident underscores a fundamental truth in cryptocurrency security: the attack surface extends far beyond blockchain protocols and smart contracts. Browser extensions, which operate with full access to page content and network requests, represent a critical vulnerability that most users overlook. The fact that an attacker needed only a single phishing email to compromise extensions used by millions demonstrates how fragile the browser extension ecosystem remains.

Bitcoin, trading at approximately $82,718 at the time of the report, and Ethereum at $1,932, represent significant assets that could be stolen through such supply-chain attacks. The $1.5 billion ByBit heist just weeks earlier, attributed to North Korea’s Lazarus Group, used similar techniques — exploiting infrastructure software rather than protocol vulnerabilities.

User Action Required

Crypto users should audit their browser extensions immediately, removing any that are not strictly necessary. Hardware wallets should be used for storing significant cryptocurrency holdings, as they keep private keys offline and beyond the reach of browser-based attacks. Enable two-factor authentication on all exchange accounts and consider using a dedicated browser profile for cryptocurrency activities that is free from unnecessary extensions. The SwitchyOmega incident is a wake-up call: in the world of digital assets, your browser is part of your perimeter, and every extension is a potential doorway for attackers.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult security professionals for personalized guidance.