Google Lens Extension Exposed: Crypto Credential Stealing Scam Uncovered

Post Views: 17

A Malicious Chrome Extension Exploits Trust to Steal Cryptocurrency Credentials

A recently compromised Chrome extension, masquerading as a Google Lens tool, has been used to pilfer cryptocurrency wallet credentials and login data from unsuspecting users. The extension, which allowed users to perform on-screen image searches, was found to have been hijacked by malicious actors. The issue came to light when cybersecurity researchers discovered suspicious scripts embedded in the extension, which had previously been considered legitimate and safe. Prior to mid-February, the extension functioned normally, but after a change in ownership, a new version was released containing malicious code. Following the update, users began receiving fake “Google Update” and “Security Alert” prompts, urging them to take immediate action.

The Attack Technique

The attack relied on a technique known as “ClickFix,” where clicking on the fraudulent alert triggered hidden code execution in the background. This enabled attackers to access stored browser logins, cryptocurrency wallet addresses, and other sensitive information without the user’s knowledge. Researchers noted that the compromised update introduced remote code execution capabilities, utilizing an image pixel onload trick to run commands on affected systems remotely.

Incident Analysis

Security analysts have described the incident as a textbook example of a supply chain attack, where a trusted application or extension is acquired by a new owner who then exploits the existing user base. Because Chrome extensions update automatically, the infected version was silently distributed to all users who had the tool installed, affecting an estimated 7,000 users.

Response and Recommendations

Google has since removed the compromised extension from the Chrome Web Store and appears to have automatically disabled the extension within users’ browsers to prevent further damage. This incident is not an isolated event, as cryptocurrency users have been targeted through browser extensions in the past. Trust Wallet previously confirmed that its official Chrome extension had been compromised, resulting in significant digital asset losses.

Cybersecurity professionals advise users to install only essential extensions and regularly review permissions granted to them. Any unexpected permission changes, unusual behavior, or prompts urging immediate updates through pop-ups should be treated with caution. Updates should always be performed through official web stores or verified websites rather than by clicking unsolicited alerts.