A malicious Chrome extension called MEXC API Automator is actively stealing API keys from cryptocurrency exchange MEXC users by creating hidden withdrawal-enabled keys and exfiltrating them to a Telegram bot.
A newly discovered malicious Chrome extension is targeting cryptocurrency traders by masquerading as a legitimate trading automation tool while secretly stealing API keys with full account access. The extension, named MEXC API Automator, has been available on the Chrome Web Store since September 2025 and has already accumulated 29 downloads.
Security researchers from Socket identified the threat, which specifically targets users of MEXC, a centralized cryptocurrency exchange serving over 170 countries. The extension operates by exploiting the user's authenticated browser session to programmatically generate new API keys with dangerous permissions, then exfiltrates those credentials to attacker-controlled infrastructure.
How the Attack Works
The malicious extension uses a sophisticated multi-stage attack that bypasses traditional security controls by operating entirely within the user's authenticated session:
Delivery and Installation: The extension is distributed through the official Chrome Web Store, giving it a veneer of legitimacy. Once installed, it requests permissions to interact with MEXC's domain.
Session Hijacking: When the user navigates to MEXC's API management page (
/user/openapi), the extension injects a content script calledscript.jsthat begins operating within the already-authenticated session. This eliminates the need to steal passwords or bypass authentication.Key Generation: The script programmatically creates a new API key pair (Access Key and Secret Key) through the legitimate MEXC interface.
Permission Manipulation: The extension enables withdrawal permissions on the newly created key, which is critical because it allows the attacker to transfer funds out of the account. However, it then tampers with the page's UI to hide this permission from the user, making it appear as if withdrawals are disabled.
Exfiltration: Once the key pair is generated, the extension immediately extracts both values and sends them via HTTPS POST request to a hardcoded Telegram bot controlled by the threat actor.
Socket security researcher Kirill Boychenko explained: "The extension programmatically creates new MEXC API keys, enables withdrawal permissions, hides that permission in the user interface (UI), and exfiltrates the resulting API key and secret to a hardcoded Telegram bot controlled by the threat actor."
The Impact: Complete Account Control
This attack grants threat actors nearly complete control over the victim's MEXC account. With API keys that have withdrawal permissions, attackers can:
- Execute trades on behalf of the victim
- Perform automated withdrawals to external wallets
- Access and drain wallet balances
- Monitor account activity in real-time
- Maintain persistent access even after the victim uninstalls the extension
The threat remains active as long as the compromised API keys remain valid and unrevoked. This means victims could continue losing funds even after removing the malicious extension from their browser.
Why This Attack is Particularly Dangerous
Traditional security measures like two-factor authentication (2FA) and strong passwords provide no protection against this attack vector. The extension operates entirely within the user's authenticated session, effectively becoming a trusted client from the server's perspective.
Boynechenko noted: "In effect, the threat actor uses the Chrome Web Store as the delivery mechanism, the MEXC web UI as the execution environment, and Telegram as the exfiltration channel."
This creates a dangerous scenario where:
- The Chrome Web Store's review process failed to catch the malicious behavior
- The MEXC platform appears to be operating normally from the user's perspective
- The exfiltration happens through legitimate HTTPS channels that blend with normal traffic
Attribution and Infrastructure
The extension was published under the developer name "jorjortan142." This handle appears to be connected to an X (formerly Twitter) account and a Telegram bot called SwapSushiBot, which is also promoted across TikTok and YouTube. The YouTube channel associated with this identity was created on August 17, 2025, suggesting the threat actor has been planning this operation for several months.
Broader Implications and Future Threats
Socket's analysis warns that this attack methodology represents a significant evolution in credential theft that could easily be adapted to target other platforms:
"By hijacking a single API workflow inside the browser, threat actors can bypass many traditional controls and go straight for long-lived API keys with withdrawal rights. The same playbook can be readily adapted to other exchanges, DeFi dashboards, broker portals, and any web console that issues tokens in session."
Future variants are likely to:
- Use heavier obfuscation to evade detection
- Request broader browser permissions to access more data
- Bundle support for multiple platforms into single extensions
- Target additional cryptocurrency exchanges and financial services
Protection and Mitigation
For users who may have installed this or similar extensions:
Immediate Actions:
- Uninstall the extension immediately
- Log into MEXC and navigate to API Management
- Revoke ALL API keys, not just suspicious ones
- Check account activity for unauthorized transactions
- Change account passwords as a precaution
Preventive Measures:
- Only install extensions from verified, well-known developers
- Be skeptical of tools that request API key generation permissions
- Regularly audit installed Chrome extensions
- Use separate browser profiles for trading activities
- Consider using hardware wallets for significant holdings
API Security Best Practices:
- Never grant withdrawal permissions to API keys unless absolutely necessary
- Set strict IP whitelists for API access
- Use API keys with minimal required permissions
- Regularly rotate API keys
- Monitor API key usage logs for suspicious activity
The Chrome Web Store Security Challenge
This incident highlights ongoing challenges with Chrome Web Store security. Despite Google's efforts to improve review processes, malicious extensions continue to slip through. The extension had been available for months with 29 downloads before being identified.
The attack demonstrates how threat actors are shifting from broad, spray-and-pray malware campaigns to highly targeted operations that exploit specific workflows in popular services. By focusing on API key generation—a legitimate and necessary function—the malicious extension appears benign during casual review.
Conclusion
This MEXC API Automator extension represents a sophisticated evolution in credential theft that combines social engineering, session hijacking, and UI manipulation to achieve its goals. It serves as a stark reminder that even legitimate-looking tools from official marketplaces can pose serious threats.
For cryptocurrency users, the incident underscores the importance of maintaining strict operational security, particularly around API key management. The fact that the attack requires no password theft or authentication bypass makes it particularly insidious and difficult to detect through conventional security monitoring.
As the cryptocurrency ecosystem continues to mature, both users and platforms must adapt to increasingly sophisticated attack vectors that exploit the trust relationships between users, browsers, and web services.
The malicious extension (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh) was still available on the Chrome Web Store as of the publication date. Users should verify their installed extensions immediately.
Related Resources:
Comments
Please log in or register to join the discussion