The extension functioned like a typical trading assistant. It connected smoothly with Phantom and Solflare wallets, displayed DEX data, and supported one-click swaps. However, its underlying code inserted additional instructions into every transaction, enabling silent fund transfers. The extension also exfiltrated wallet public keys and other metadata to attacker-controlled servers.
This incident highlights a growing trend of supply-chain attacks conducted through browser extensions, targeting users who rely on browser-based wallets for daily cryptocurrency operations.
Key Risks
- Hidden malicious instructions embedded in legitimate transactions
- Obfuscated and tampered JavaScript within extension files
- Unauthorized exfiltration of wallet information
- Appeared legitimate on the Chrome Web Store at time of analysis
Recommended Actions
- Review and audit all installed Chrome extensions
- Use only trusted and verified wallet add-ons
- Inspect every blockchain transaction before approval
- Move assets to hardware wallets where possible
- Immediately relocate funds if any irregular activity is detected
About COE Security
COE Security provides cybersecurity, compliance, and digital risk management services for cloud platforms, enterprise infrastructure, and financial technology environments. Our expertise includes:
- Browser extension security and supply-chain threat assessments
- Web3 and blockchain security auditing
- Threat intelligence, SOC support, and incident response
- Penetration testing across web, mobile, API, and cloud systems
- Compliance readiness under GDPR, HIPAA, PCI-DSS, DPDPA, and other frameworks
- Digital forensics and crypto-incident investigations
COE Security supports organizations in defending against advanced browser-based threats, malicious extensions, and emerging attack vectors across decentralized ecosystems.
Follow COE Security on LinkedIn for ongoing threat intelligence and security updates.