Coinbase and Google: This malicious Google Notes extension just wants to sneakily steal all your crypto

Coinbase and Google: This malicious Google Notes extension just wants to sneakily steal all your crypto

Malicious "Silent Swap" Chrome Extension Hijacks Crypto Transactions

McAfee researchers have identified Silent Swap, a malicious Chromium browser extension masquerading as Google Notes that covertly redirects cryptocurrency transactions to attacker-controlled wallets. Disguised as a functional note-taking tool complete with color-coding and search features the extension operates as a clipboard hijacker, monitoring copied text for crypto wallet addresses (26–42 alphanumeric characters) and replacing them with fraudulent ones.

Victims, likely lured via phishing, social engineering, or untrusted websites, unknowingly paste the swapped address when sending funds, funneling money directly to cybercriminals. Once transferred, stolen crypto is nearly impossible to recover unless intercepted by a centralized exchange (e.g., Coinbase) before completion.

To evade detection, attackers generate lookalike wallet addresses that differ by only a few characters, undermining common verification methods like checking the first and last digits. The discovery underscores the risks of clipboard-based attacks in crypto transactions, where manual entry is impractical and users rely on copy-paste workflows.

Source: https://www.techradar.com/pro/security/this-malicious-google-notes-extension-just-wants-to-sneakily-steal-all-your-crypto

Coinbase TPRM report: https://www.rankiteo.com/company/coinbase

Google TPRM report: https://www.rankiteo.com/company/google

"id": "goocoi1783686858",
"linkid": "google, coinbase",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'industry': 'Cryptocurrency',
                        'type': 'Individual users'}],
 'attack_vector': 'Malicious Chrome Extension',
 'data_breach': {'sensitivity_of_data': 'High (financial assets)',
                 'type_of_data_compromised': 'Cryptocurrency wallet addresses'},
 'description': 'McAfee researchers have identified *Silent Swap*, a malicious '
                'Chromium browser extension masquerading as *Google Notes* '
                'that covertly redirects cryptocurrency transactions to '
                'attacker-controlled wallets. The extension operates as a '
                '*clipboard hijacker*, monitoring copied text for crypto '
                'wallet addresses (26–42 alphanumeric characters) and '
                'replacing them with fraudulent ones. Victims unknowingly '
                'paste the swapped address when sending funds, funneling money '
                'directly to cybercriminals.',
 'impact': {'financial_loss': 'Cryptocurrency theft',
            'payment_information_risk': 'Cryptocurrency wallet addresses',
            'systems_affected': 'User devices with the malicious extension '
                                'installed'},
 'initial_access_broker': {'entry_point': 'Malicious Chrome extension '
                                          '(phishing/social engineering)',
                           'high_value_targets': 'Cryptocurrency users'},
 'lessons_learned': 'The discovery underscores the risks of clipboard-based '
                    'attacks in crypto transactions, where manual entry is '
                    'impractical and users rely on copy-paste workflows.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'corrective_actions': 'Enhanced extension vetting, '
                                                  'user education on clipboard '
                                                  'security, implementation of '
                                                  'address verification tools',
                            'root_causes': 'Lack of verification for clipboard '
                                           'content, reliance on copy-paste '
                                           'for crypto transactions, '
                                           'installation of untrusted '
                                           'extensions'},
 'recommendations': 'Users should verify wallet addresses manually or use '
                    'tools that detect clipboard hijacking. Avoid installing '
                    'extensions from untrusted sources.',
 'references': [{'source': 'McAfee Research'}],
 'response': {'remediation_measures': 'Removal of the malicious extension',
              'third_party_assistance': 'McAfee researchers'},
 'title': "Malicious 'Silent Swap' Chrome Extension Hijacks Crypto "
          'Transactions',
 'type': 'Malware (Browser Extension)',
 'vulnerability_exploited': 'Clipboard hijacking'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.