MEXC: Chrome Extension Impersonates Trading Tool to Steal MEXC API Keys

Malicious Chrome Extension Targets MEXC Crypto Exchange Users

Cybersecurity researchers have identified a malicious Google Chrome extension, MEXC API Automator, designed to steal API keys from users of MEXC, a centralized cryptocurrency exchange (CEX) serving over 170 countries. Disguised as a legitimate trading automation tool, the extension (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh) covertly harvests sensitive credentials, enabling unauthorized access to victims' exchange accounts.

Despite its low download count just 29 installations the extension remains active, posing an ongoing threat. API keys, which grant access to trading accounts, are prime targets for attackers seeking to execute fraudulent transactions. The incident highlights the risks of third-party browser extensions, particularly in the cryptocurrency space where financial assets are at stake.

Users who installed the extension are advised to remove it immediately and reset their API keys to prevent potential breaches. The discovery underscores the importance of verifying extension authenticity, scrutinizing permissions, and conducting regular security audits to mitigate similar threats.

Source: https://dailysecurityreview.com/cyber-security/application-security/chrome-extension-impersonates-trading-tool-to-steal-mexc-api-keys/

MEXC cybersecurity rating report: https://www.rankiteo.com/company/mexcofficial

"id": "MEX1768465942",
"linkid": "mexcofficial",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Users who installed the '
                                              'malicious extension (29 '
                                              'downloads)',
                        'industry': 'Cryptocurrency/FinTech',
                        'location': 'Global (170+ nations)',
                        'name': 'MEXC',
                        'type': 'Centralized Cryptocurrency Exchange (CEX)'}],
 'attack_vector': 'Malicious Chrome Extension',
 'customer_advisories': 'Users advised to remove the extension and change API '
                        'keys',
 'data_breach': {'data_exfiltration': 'Yes (API keys harvested)',
                 'number_of_records_exposed': '29 (downloads)',
                 'sensitivity_of_data': 'High (API keys grant access to '
                                        'cryptocurrency trading accounts)',
                 'type_of_data_compromised': 'API keys'},
 'description': 'Cybersecurity researchers uncovered a malicious Google Chrome '
                'extension, MEXC API Automator, designed to exploit users of '
                'MEXC, a centralized cryptocurrency exchange. The extension '
                'masquerades as a legitimate tool to automate trading but '
                'instead harvests sensitive API keys from unsuspecting users.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage to MEXC '
                                       'due to security concerns',
            'data_compromised': 'API keys',
            'operational_impact': 'Potential unauthorized transactions on '
                                  'affected accounts',
            'systems_affected': 'User accounts on MEXC cryptocurrency '
                                'exchange'},
 'initial_access_broker': {'entry_point': 'Malicious Chrome Extension (MEXC '
                                          'API Automator)',
                           'high_value_targets': 'MEXC users with API keys'},
 'lessons_learned': 'Users must verify the authenticity of browser extensions, '
                    'avoid over-permissioned tools, and conduct regular '
                    'security audits of applications with access to financial '
                    'accounts.',
 'motivation': 'Financial gain through unauthorized access to cryptocurrency '
               'trading accounts',
 'post_incident_analysis': {'corrective_actions': 'Enhanced user education on '
                                                  'extension security and '
                                                  'stricter Chrome Web Store '
                                                  'vetting processes',
                            'root_causes': 'Lack of user awareness and '
                                           'verification of browser '
                                           'extensions'},
 'recommendations': ['Verify extensions by checking developer information and '
                     'user reviews',
                     'Avoid extensions requesting unrelated permissions',
                     'Conduct periodic security audits of browser extensions',
                     'Immediately remove the malicious extension and change '
                     'API keys'],
 'references': [{'source': 'Cybersecurity researchers'}],
 'response': {'communication_strategy': 'Public advisory to users about the '
                                        'malicious extension',
              'containment_measures': 'Immediate removal of the extension '
                                      'recommended',
              'remediation_measures': 'Users advised to change API keys'},
 'title': 'Malicious Google Chrome Extension Targeting MEXC Users for API Key '
          'Theft',
 'type': 'Malware (Malicious Browser Extension)',
 'vulnerability_exploited': 'Lack of user verification for extension '
                            'authenticity and over-permissioned access'}