A malicious Chrome extension posing as a trading tool for the MEXC exchange has compromised user accounts and stolen cryptocurrency.
Quick Summary – TLDR:
- A Chrome extension named MEXC API Automator secretly enabled withdrawals and stole user API credentials.
- The extension exfiltrated sensitive data to a Telegram bot controlled by the attacker.
- It manipulated the MEXC interface to hide dangerous permissions, misleading users.
- Despite being flagged, the extension is still available on the Chrome Web Store at the time of writing.
What Happened?
A malicious Chrome extension called MEXC API Automator has been discovered stealing credentials from users of the cryptocurrency exchange MEXC. Published on the Chrome Web Store on September 1, 2025, it claimed to automate trading tasks but instead gave attackers full control over victim accounts. The extension was flagged by cybersecurity firm Socket, which exposed its deceptive techniques and urged immediate user action.
🚨 New research: A malicious Chrome Web Store extension is stealing newly created #MEXC API keys and exfiltrating them to a Telegram bot, enabling full account takeover with trading and withdrawal rights.
— Socket (@SocketSecurity) January 12, 2026
Details → https://t.co/U3Z6gCcZ7a #crypto
A Closer Look at the Threat
The extension was marketed as a productivity tool to simplify the process of creating MEXC API keys for traders. In reality, it was a credential-stealing malware that allowed attackers to:
- Create new API keys with full permissions including trading and withdrawals.
- Hide enabled withdrawal permissions from the user interface through clever CSS manipulation.
- Intercept and send API credentials to a hardcoded Telegram bot controlled by the attacker.
Once users visited the MEXC API management page, the extension injected a malicious script into the session. This script automatically ticked all permission checkboxes, including withdrawal rights, even though the UI made it look like withdrawals were disabled.
After the user completed two-factor authentication (2FA), the script grabbed the newly generated API key and secret and sent them to a Telegram bot using a fixed bot token and chat ID. These credentials gave the attacker programmatic access to the victim’s MEXC account, letting them execute trades and withdraw funds without needing passwords or additional verification.
How It Works?
- Operates only within the browser during an authenticated MEXC session.
- Does not bypass 2FA but waits until the user completes it to steal the API key.
- Sends credentials via HTTPS POST to a Telegram bot for remote control.
- Maintains deception by hiding withdrawal permission status in the UI with injected styles.
- Uses Russian language comments in its code, indicating the likely origin of the threat actor.
The attacker used the alias jorjortan142 and promoted the extension under the brand SwapSushi. This handle appears on multiple platforms:
- An X (Twitter) account with the handle @jorjortan142 branding themselves as “sushi.crypto”
- A Telegram bot at t[.]me/swapsushibot
- A YouTube channel promoting SwapSushi tools
- A suspicious domain swapsushi[.]net flagged by anti-scam communities
MEXC: A High-Value Target
MEXC is one of the world’s largest centralized crypto exchanges, serving users in over 170 countries. Its support for API-based trading and withdrawals makes it a prime target for attackers seeking direct access to user funds.
Although MEXC officially blocks users in countries like the United States, Canada, and the United Kingdom, many users in those regions bypass restrictions using VPNs. This significantly expands the potential victim pool and complicates incident response.
The stolen API keys:
- Are long-lived and often not rotated regularly.
- Are commonly used across bots and trading systems.
- Are less likely to trigger alerts compared to logins.
This allows attackers to quietly drain funds over time or rapidly execute trades and withdrawals before users notice anything wrong.
Security Recommendations
Socket’s researchers warn that this kind of attack may be replicated across other exchanges and financial tools. They recommend:
- Auditing all browser extensions on devices accessing financial accounts.
- Removing suspicious extensions, especially those offering automated trading or API features.
- Treating API keys as high-value secrets by storing them securely and rotating them frequently.
- Monitoring for anomalous behavior like API key creation or trades from unfamiliar locations.
- Using browser extension allowlists and centralized controls in enterprise environments.
Socket’s AI-based scanning tools have flagged the MEXC API Automator as confirmed malware. They are continuing to alert users and have reported the issue to Google.
SQ Magazine’s Takeaway
I find it shocking that a malicious extension like this could stay live on the Chrome Web Store for months, even after being flagged. Crypto users often trust browser tools to make their lives easier, but this is a reminder that convenience can come at a steep price. If you’re using any kind of extension that touches your exchange account, now is the time to double-check and clean house. Even if you’re security-savvy, UI tricks like hiding withdrawal permissions can fool anyone.
