--- title: "Fake MEXC Trading Extension on Chrome Store Exposes Millions to Crypto Theft" date: 2026-01-13 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/01/fake-mexc-chrome-extension-exposes-millions-of-wallets-for-crypto-theft.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "News" url: "/tag/news.md" --- # Fake MEXC Trading Extension on Chrome Store Exposes Millions to Crypto Theft A malicious Chrome extension posing as a trading tool for the MEXC exchange has compromised user accounts and stolen cryptocurrency. ## Quick Summary – TLDR: - A Chrome extension named MEXC API Automator secretly enabled withdrawals and stole user API credentials. - The extension exfiltrated sensitive data to a Telegram bot controlled by the attacker. - It manipulated the MEXC interface to hide dangerous permissions, misleading users. - Despite being flagged, the extension is still available on the Chrome Web Store at the time of writing. ## What Happened? A malicious Chrome extension called **MEXC API Automator** has been discovered stealing credentials from users of the [cryptocurrency exchange](https://sqmagazine.co.uk/crypto-exchange-statistics/) MEXC. Published on the Chrome Web Store on **September 1, 2025**, it claimed to automate trading tasks but instead gave attackers full control over victim accounts. The extension was flagged by cybersecurity firm **Socket**, which exposed its deceptive techniques and urged immediate user action. > 🚨 New research: A malicious Chrome Web Store extension is stealing newly created [\#MEXC](https://twitter.com/hashtag/MEXC?src=hash&ref_src=twsrc%5Etfw) API keys and exfiltrating them to a Telegram bot, enabling full account takeover with trading and withdrawal rights. > > Details → [\#crypto](https://twitter.com/hashtag/crypto?src=hash&ref_src=twsrc%5Etfw) > > — Socket (@SocketSecurity) [January 12, 2026](https://twitter.com/SocketSecurity/status/2010829127079637288?ref_src=twsrc%5Etfw) ## A Closer Look at the Threat The extension was marketed as a productivity tool to simplify the process of creating MEXC API keys for traders. In reality, it was a **credential-stealing malware** that allowed attackers to: - **Create new API keys** with full permissions including trading and withdrawals. - **Hide enabled withdrawal permissions** from the user interface through clever CSS manipulation. - **Intercept and send API credentials** to a hardcoded Telegram bot controlled by the attacker. Once users visited the **MEXC API management page**, the extension injected a malicious script into the session. This script automatically ticked all permission checkboxes, including withdrawal rights, even though the UI made it look like withdrawals were disabled. After the user completed **two-factor authentication (2FA)**, the script grabbed the newly generated API key and secret and sent them to a [Telegram](https://sqmagazine.co.uk/telegram-statistics/) bot using a fixed bot token and chat ID. These credentials gave the attacker **programmatic access** to the victim’s [MEXC](https://sqmagazine.co.uk/mexc-statistics/) account, letting them execute trades and **withdraw funds without needing passwords or additional verification**. ## How It Works? - Operates only within the browser during an authenticated MEXC session. - Does not bypass 2FA but waits until the user completes it to steal the API key. - Sends credentials via **HTTPS POST** to a Telegram bot for remote control. - Maintains deception by hiding withdrawal permission status in the UI with injected styles. - Uses **Russian language comments** in its code, indicating the likely origin of the threat actor. The attacker used the alias **jorjortan142** and promoted the extension under the brand **SwapSushi**. This handle appears on multiple platforms: - An **X (Twitter)** account with the handle **@jorjortan142** branding themselves as “sushi.crypto” - A **Telegram bot** at **t\[.\]me/swapsushibot** - A **[YouTube](https://sqmagazine.co.uk/youtube-statistics/) channel** promoting SwapSushi tools - A suspicious domain **swapsushi\[.\]net** flagged by anti-scam communities ## MEXC: A High-Value Target MEXC is one of the world’s largest centralized crypto exchanges, serving users in **over 170 countries**. Its support for **API-based trading and withdrawals** makes it a **prime target** for attackers seeking direct access to user funds. Although MEXC officially blocks users in countries like the **United States, Canada, and the United Kingdom**, many users in those regions bypass restrictions using VPNs. This significantly expands the potential victim pool and **complicates incident response**. **The stolen API keys:** - Are **long-lived** and often not rotated regularly. - Are commonly used across **bots and trading systems**. - Are less likely to trigger alerts compared to logins. This allows attackers to quietly drain funds over time or rapidly execute trades and withdrawals before users notice anything wrong. ## Security Recommendations Socket’s researchers warn that this kind of attack may be replicated across other exchanges and financial tools. They recommend: - **Auditing all browser extensions** on devices accessing financial accounts. - **Removing suspicious extensions**, especially those offering automated trading or API features. - Treating API keys as **high-value secrets** by storing them securely and rotating them frequently. - Monitoring for **anomalous behavior** like API key creation or trades from unfamiliar locations. - Using **browser extension allowlists** and centralized controls in enterprise environments. Socket’s AI-based scanning tools have flagged the MEXC API Automator as confirmed malware. They are continuing to alert users and have reported the issue to Google. ## SQ Magazine’s Takeaway I find it shocking that a malicious extension like this could stay live on the **Chrome Web Store** for months, even after being flagged. Crypto users often trust browser tools to make their lives easier, but this is a reminder that convenience can come at a steep price. **If you’re using any kind of extension that touches your exchange account, now is the time to double-check and clean house**. Even if you’re security-savvy, UI tricks like hiding withdrawal permissions can fool anyone.