Chrome Extension Caught Stealing Crypto-Wallet Private Keys

A Google Chrome extension was caught injecting JavaScript code on web pages to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals. From a report: The extension is named Shitcoin Wallet (Chrome extension ID: ckkgmccefffnbbalkmbbgebbojjogffn), and was launched last month, on December 9. According to an introductory blog post, Shitcoin Wallet lets users manage Ether (ETH) coins, but also Ethereum ERC20-based tokens -- tokens usually issued for ICOs (initial coin offerings). Users can install the Chrome extension and manage ETH coins and ERC20 tokens from within their browser, or they can install a Windows desktop app, if they want to manage their funds from outside a browser's riskier environment. However, the wallet app wasn't what it promised to be. Yesterday, Harry Denley, Director of Security at the MyCrypto platform, discovered that the extension contained malicious code. According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.

Nobody Could Have Foreseen...

[nsuccorso]

I used something called Shitcoin Wallet to manage my money, and something bad happened!!

Re:

[sabbede]

Which makes me wonder if the author wasn't trying to make a point, not steal from the users.

Re:

[The-Ixian]

Freakin' Lahey [wikipedia.org]

The NAME didn't provide a clue?

[Geodesy99]

Really, now.

The name wasn't a dead giveaway?

[Powercntrl]

I mean really, if you're going to put your crypto coins in an extension called "Shitcoin Wallet", you should've seen this coming.

It's like lighting one of those compressed sawdust firelogs on your coffee table, then being genuinely surprised when it burns your house down.

Of course it attacked BTC and ETH...

[LynnwoodRooster]

Because DOGE is unbreakable! That is why, even after years of up-and-down for the market as a whole, one Dogecoin is STILL worth 1 DOGE.

Re:

[DontBeAMoran]

Much value! Very stability!

Re:

[LynnwoodRooster]

Bigly!

With a name like that

[Cito]

Folks deserve what they got if they actually use something with that name

Re:

[ClueHammer]

Victim blaming... i see its still a thing for the truly ignorant, like yourself.

Re:

[sexconker]

The first rule of crypto is to treat your wallet like cash.

If you fail at that, you deserve to be fucked.
If you think that's "victim blaming" and that's not okay, then I lost $100 last week. I was holding it while walking down the street and a pigeon came by and took it.

Clearly, I as the victim have no personal responsibility. Please make sure to coddle me, tell me it's not my fault, and donate to replace my $100.

Re:

[Pascoea]

If that actually worked I'd be asking for donations to train pigeons...

In two ways. What is the tooth?

[278MorkandMindy]

Are there actual editors anymore?

Re:

[CaptnCrud]

No. MissMash and BeauHD captured Patrick, Jeff, Rob, and Keith and fed them to a pack of ravinous wolves. The wolves said they where delicious.

Re:

[Anne Thwacks]

The wolves said they where delicious.

So, Wall Street wolves then?

Omg I'm wiped out!

[Way Smarter Than You]

I took out a third mortgage on my house, sold a kidney, and then sold my kids to science so I could buy more crypto coins and then I used this cool new extension and they stole everything from me! Whatever am I todo? Should I have more kids? What if the lab won't buy more?

Re:

[The-Ixian]

Wait..... you can sell your kids to science?

Re:

[fattmatt]

step kids too?

Hail 1%

[ControlTheNarrative]

This is the same month that google has banned legit wallet (metamask). If I didn't know better I'd think google is trying to make cryptocurrency look bad. Well done Google.
The only real investment is spy500, millennials with imaginary currencies should forever stay poor. In tendies we trust!

Re:

[slashways]

A lot of people fell for them. They have learned their lessons by now.

https://medium.com/@jimmysong/... [medium.com]
https://www.whatbitcoindid.com... [whatbitcoindid.com]
https://www.reddit.com/r/Bitco... [reddit.com]

Seriously?

[cascadingstylesheet]

I know we're all supposed to be too cool for school these days, but "shitcoin wallet"?

Yeah, nothing could go wrong there, with a serious operation like that.

625 Stupid people

[Pascoea]

"At the time of writing, the extension was still available for download through the official Google Chrome Web Store, where it listed 625 installs."

Help me out here. I'm not into cryptocurrency, other than a tangential knowledge of what it is and a general idea of how it works. Why would someone want/need a chrome plugin to manage their wallet? What value does it add? (assuming you use one that isn't stealing your shit)

Re:

[Anne Thwacks]

Why would someone want/need a chrome plugin to manage their wallet?

Because they are Windows users and the OS is not secure ;-}

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bill_mcgonigle]

The idea is that it's a bridge that lets you use web apps to move crypto. The web-wallet just takes commands from the website but the cryptography is done locally, even maybe talking to a hardware wallet.

The other options are a fat desktop app or giving the website your private key (never do that). Apparently installing software is too hard for most humans.

Webassembly targets will be the next iteration.

2020: It's time to forget about Shitcoins

[slashways]

F.A. Hayek in 1984: "I don't believe we shall ever have a good money again before we take the thing out of the hands of government, that is, we can't take it violently out of the hands of government, all we can do is by some sly roundabout way introduce something that they can't stop."

A shitcoin is anything promoted as a form of money whose supply is easy to increase. In other words, anything other than gold or bitcoin.