Characterizing Cryptocurrency-Themed Malicious Browser Extensions
Abstract
The popularity of cryptocurrencies has led to the growth of browser extensions, including malicious ones that cause financial losses and evade vetting processes. We conduct a systematic study to identify and characterize cryptocurrency-themed malicious extensions. By monitoring seven extension distribution venues for 18 months (December 2020 to June 2022) and collecting around 3,600 unique extensions, we identify 186 malicious extensions in five categories. We analyze their distribution channels, life cycles, developers, behaviors, and illegal gains, revealing their status quo, disguises, and programmatic features. Our work unveils the status quo of the cryptocurrency-themed malicious extensions and reveals the disguises and programmatic features on which detection techniques can be based. Our work serves as a warning to extension users and as an appeal to extension store operators to enact dedicated countermeasures. To facilitate future research in this area, we release our dataset of the identified malicious extensions and open source our analyzer.
1. Introduction
The openness to browser extensions (extensions) is a key feature of modern browsers, enhancing users’ experience with various functionalities. However, malicious extensions can abuse the permissions and privileged APIs to launch man-in-the-browser attacks for information stealing, phishing, and scams. Recently, extensions themed with popular blockchain and cryptocurrency technologies have become targets of cyberattacks, as major cryptocurrency exchange platforms and wallet services have launched their extensions as new portals. Cryptocurrency-related crimes caused a total of $1.9 billion loss in 2020 alone,3 largely attributed to malicious cryptocurrency-themed extensions, such as a fake ledger Chrome extension that stole at least $2.5 million worth of Ripple coins in March 2020.8
The existing extension stores and the blockchain community have made efforts to counter the surging attacks associated with the cryptocurrency-themed extensions. For example, Google has taken down 49 phishing Chrome extensions that reportedly stole cryptocurrency data, and it has completely banned mining through extensions. Domain names and wallet addresses involved in malicious activities have been published by several open source databases to raise public awareness. Nonetheless, our research community still lacks an in-depth understanding of cryptocurrency-themed malicious extensions, and most countermeasures still rely on detection techniques designed for generic malware. Consequently, elaborately crafted malicious extensions, which take cryptocurrencies as the disguise or target a specific cryptocurrency business logic, could evade the detection.
Our work. In this paper, we aim to systematically understand the status quo of cryptocurrency-themed malicious extensions in the wild and unveil their main characteristics that can facilitate countermeasures. We have monitored major official and alternative extension stores in real time for 18 months (December 2020 to June 2022), covering the time during which the major exchange platforms and wallet service providers launch their extensions. For example, Coinbase, a popular exchange platform that has a daily trade volume of more than three billion dollars, launched its Chrome extension in May 2021. Our monitoring includes 3,599 extensions in total on the radar (see Section Section 2.1). We then propose a systematic detection approach to identify malicious ones from them (see Section 8). It takes into consideration multi-dimensional characteristics including metadata features (for example, user reviews and the number of downloads), programmatic features (for example, requested browser permissions, frequencies of variable and function types), and execution features (for example, high CPU usage and communication with suspicious servers). We further characterize the malicious extensions in terms of their prevalence, development ecosystem, financial damage, and features for detecting them.
Key findings. We present the first characterization study of cryptocurrency-themed malicious extensions, revealing its current state. Key findings are summarized below, with details in Section Section 4.
-
Cryptocurrency-themed malicious extensions have become prevalent. We have identified 186 malicious extensions out of the 3,599 cryptocurrency-themed ones, at a rate of 5.17%. They can be categorized into five categories based on their purposes: phishing, mining, scam, adware, and gambling/pornography. They target almost all popular cryptocurrency-related functionalities, such as price trackers, payment, coin miners, wallets, and exchange platforms.
-
Attacks through cryptocurrency-themed malicious extensions have caused significant financial losses. We find that an estimated $1,006,610 worth of cryptocurrencies have flowed into attacker-controlled wallet addresses during the malicious extensions’ lifespan.
-
Malicious extensions tend to post fake user reviews to disguise themselves. Owners of malicious extensions routinely attempt to post large amounts of fake positive reviews to manipulate the overall ratings. Out of the extensions with negative-sentiment reviews, 42% are proven malicious. Nonetheless, half of them post fake positive reviews to flood the negative ones (likely from victims) and lift their rating scores above 4 out of 5. This renders it nearly impossible for lay users to distinguish them based on reviews and rating scores.
-
Less popular services and cryptocurrencies are also the targets of malicious extensions. Besides targeting popular exchange platforms and wallet services (for example, Coinbase), malicious extensions also focus on those with small volumes (for example, Truechain and Ledger). Similarly, less-valued cryptocurrencies (such as Monero and MintCoin) have been abused as the ideal honeypots to lure vulnerable opportunists, due to the drastic price fluctuations.
-
Cryptocurrency-themed malicious extensions are stealthy but demonstrate characteristics that detection can rely on. The cryptocurrency-themed malicious extensions are more insidious than the generic malicious extensions. Most of them (84.4%) manage to evade detection from 31 state-of-the-art anti-virus engines, and 73.1% have remained available on the extension stores for more than one month when we detect them. Nonetheless, we find that they tend to have a high frequency of security-critical permission requests (for example,
file://*) and system-level API calls (for example, identity, system.cpu, and app.runtime) at runtime. We distill these characteristics into a set of distinctive features to benefit anti-malware tools.
We release the dataset of the identified malicious extensions7 and open source our analyzer to facilitate the countermeasures of the cryptocurrency-themed malicious extensions and to encourage future research in this area.
2. Background and Threat Model
Cryptocurrency-themed extensions. Among browser extensions, cryptocurrency-themed ones have experienced fast growth in recent years, thanks to the popularity of blockchain technology and cryptocurrencies. From a broad point of view, there are two types of cryptocurrency-themed extensions. One type is the lightweight version of the Web-based or application-based counterparts implemented by the official or authorized service providers, such as cryptocurrency wallets. The other type includes extensions implemented by third-party developers for cryptocurrency services, incorporating richer and more diverse functions to enhance user experience. Typical examples include market data trackers, integrated portals as shortcuts for accessing various cryptocurrency applications, and security and privacy-related extensions.
In this work, we consider two types of threats that are relevant to cryptocurrencies in the context of browser extensions, that is, involving cryptocurrencies for illicit payment and involving cryptocurrencies as disguises or lures. Due to the anonymous nature of transactions, cryptocurrencies are often used as the payment method by malware and hidden services that provide illicit services, such as gambling and drug trading. Therefore, we examine extensions that may contain such behaviors.
Due to their investment nature, cryptocurrencies have also been abused as bait to lure users to click links containing malicious content or install malicious applications. Malicious behaviors covered up by cryptocurrencies may include phishing, scamming, mining, and advertising, to be detailed later.
2.2 Permissions and features of extensions.
Permissions. Most browser extensions are archived into well-formatted crx or xpi files. Inside the archive, the code base is organized in a way similar to a Web application, containing files such as HTML, JavaScript, CSS, and local images. A JSON file named manifest.json describes the extension’s meta information, including name, version, developer, and requested browser-level permissions. In particular, the requested permissions determine its capabilities in network traffic manipulation, cookie accessibility, and Web-page modification. Thus, the requested permissions serve as a critical feature to detect malicious extensions in our approach.
Programmatic features. The logic of an extension is detailed in its content scripts and background page source code. Content scripts play a key role in interacting with the Web pages the browser navigates to. They can read the details of the Web page or modify its DOM. Complementing the content scripts, extensions can also run scripts in the context of the background page, which can be used to maintain the state and control the behavior logic of the extension without being visible to the user. Considering the distinct execution logics and the resulting behaviors between the malicious and benign extensions, these programmatic patterns have been used to benchmark the differences between them. They have shown effectiveness in practice.
3. Data Collection
3.1 Data sources.
Browser types. We focused on the top 10 most downloaded browsers. Additionally, we included popular regional browsers from the top 10 countries for cryptocurrency adoption, identifying 18 browsers across six countries.
Extension sources. We used two primary sources for extension collection:
-
Official stores: We developed crawlers for Chrome, Firefox, Opera, and Edge, covering a total of 20 browsers due to shared engines. For 360 Explorer and Whale, we manually monitored updates due to strict anti-crawling measures. IE and Safari have limited extension availability.
-
Alternative stores: We targeted three popular sites: Crx4Chrome, Haoyong, and GugeApp, all noted for their vulnerability to malicious extensions. Our crawlers collectively cover approximately 90% of the market share.
Collection methodology. Built on Selenium,18 our crawlers automated the data-collection process. Our crawlers searched extension stores using a keyword corpus of 800 terms, derived from Coin-MarketCap and relevant literature,23 including keywords, abbreviations, and potential anagrams. To account for non-English extensions, we translated keywords into Chinese and Korean. Our crawlers ran on Windows 10 virtual machines with eight CPUs, 16GB RAM, and 160GB storage, continuously refined from May to July 2020. We manually reviewed more than 30,000 returned extensions to filter out irrelevant entries. As a result, we compiled a dataset of 3,599 cryptocurrency-themed extensions (4.5GB), distributed across nine stores.
4. Detection of Mal-Extensions
The rapidly evolving nature of cryptocurrency-themed malicious extensions makes signature-based identification difficult. To address this, we propose a detection approach using multi-stage analysis and multi-dimensional criteria, as illustrated in Figure 1. Initially, we flag suspicious extensions through coarse-grained filtering and classification-based detection. We then confirm their status by analyzing string characteristics and run-time behaviors.
Preliminary filtering. To refine our search space for subsequent analyses, we conduct coarse-grained filtering. We initially use existing antivirus tools (that is, VirusTotal20) to flag suspicious extensions. However, due to the rapid emergence of new threats, this method identifies only a limited number of malicious extensions (see Section Section 4.1). We enhance our filtering with two additional criteria:
-
User reviews. User feedback provides insight into extensions’ trustworthiness. We mark extensions with an average rating below two stars as suspicious. Additionally, we perform semantic and sentiment analysis14 on reviews, identifying those with negative keywords (for example, “bad,” “malicious,” “scam”). Extensions showing significant drops in ratings (more than one point weekly) are also flagged.
-
Number of downloads. Download counts indicate an extension’s popularity. We consider extensions with less than 100 downloads suspicious, as this threshold captures 80% of samples flagged by VirusTotal. We also track download fluctuations, logging extensions with over 50% weekly changes.
-
Filtering results. This coarse-grained approach retains relevant malicious extensions while reducing noise. We excluded 1,286 extensions from the total 3,599.
Suspicious extensions detection. After filtering, we implement a lightweight classification-based approach to detect suspicious extensions. Our goal at this stage is to maximize the identification of malicious samples, leading to classifiers trained with a higher tolerance for false positives (see Section 12). Confirmation processes are introduced afterward (see Section Section 3.2). Once we construct a dataset of confirmed samples, we can extract accurate features and apply advanced detection methods, as discussed in our experiments (Section Section 5.1).
Classification features. We use programmatic features from extensions for classification. These features, including requested permissions and AST characteristics, effectively differentiate benign from malicious extensions.
Requested permissions. We analyze 11 permissions commonly used in detection and assigned risk levels by the open source analyzer ExtAnalysis.
AST features. Drawing from Wang et al.,21 we develop a feature set based on nine code variables and thirteen function frequencies. These are extracted using ASTs (Abstract Syntax Trees) created with AST Explorer and Esprima.
4.2.2 The classification.
Training data labeling. We create a labeled dataset to train and benchmark our classifiers. Malicious extensions are sourced from VirusTotal and identified through manual inspection by two authors, focusing on extensions with ratings below two stars, more than 10 negative reviews, and fewer than 100 downloads. We independently analyze random samples, retaining only those confirmed as malicious. After discussion with a third co-author, we categorize each malicious extension. This process yields 55 malicious extensions: 27 from VirusTotal and 28 from manual searches, with specific counts across categories.
We then add 70 benign extensions, maintaining a 1:10 or 1:20 ratio for categories, simulating real-world distribution. These benign samples are drawn from our dataset, ensuring they have high ratings, numerous positive reviews, and extensive downloads, and are manually verified.
Training and testing. Using the labeled dataset, we train five classifiers, each focused on one malware category. We extract a fixed-length feature vector from permission and AST features. Permissions are represented as binary values (1 for presence, 0 for absence), while AST features are normalized based on their frequencies. Each classifier labels only the target malware category as foreground (1), with others as background (0) to enhance sensitivity.
We split the data into three training folds and two testing folds. Four classification algorithms (SVM, logistic regression, decision tree, and Naive Bayes) are tested, with the best recall chosen for each. All classifiers achieve an average recall of 1.0 for malicious extensions, indicating strong detection capability, though average precision is lower (around 0.35), leading to false positives requiring further confirmation (discussed in Section Section 3.2).
Detection results. We apply the classifiers to all the extensions, marking those predicted as malicious. This results in 691 suspicious extensions: 97 for phishing, 400 for scams, 68 for mining, 94 for adware, and 32 for illicit services.
Malicious extension confirmation. To eliminate false positives from our classifier results, we perform a confirmation step based on two characteristics:
-
Confirmation with malicious elements. We check for the presence of malicious cryptocurrency-specific elements, such as malicious Web domains and cryptocurrency wallet addresses. Using ExtAnalysis, we extract domain and address elements from the suspicious extensions. These are scanned against online databases containing 5,838 mining-related URLs, online abuse databases,2,6 and a blacklist of 49 Chrome extension IDs.9 Extensions matching any malicious elements are confirmed as malicious.
-
Confirmation with runtime behavioral features. We test each suspicious extension in a sandboxed virtual machine, interacting with it for approximately five minutes using our test account. We aim to fully trigger its behaviors by performing actions such as logging in, transferring cryptocurrency, and clicking links. The testbed monitors system-level and network-level behaviors, confirming an extension as malicious if the following are observed:
-
System-level behaviors: Monitoring CPU usage, memory usage, and file system changes every 10 seconds, we check if the extension rapidly consumes system resources (for example, CPU usage exceeding 90%), which is indicative of malicious mining activity.
-
Network-level behaviors: We intercept and analyze network traffic between the extension and servers using a man-in-the-middle proxy (mitmproxy13). We check for transmission of sensitive user information, such as log-in credentials or cryptocurrency wallet addresses, to malicious or blocked URLs.
-
Results. After confirmation, we identified a total of 186 malicious extensions, comprising 65 phishing, 22 mining, 75 scam, 16 adware, and 8 illicit services extensions. For validation, we followed the labeling procedure detailed in Section 12. More than 90% of the labels were assigned without disagreement, with only a few (less than 10) requiring discussion and consensus.
5. Characterization
Our investigation aims to explore the following four research questions (RQs).
RQ1. What is the status quo of cryptocurrency-themed malicious extensions in the wild?
RQ2. What are the hostile behaviors and the defining techniques associated with each category of the cryptocurrency-themed malicious extensions?
RQ3. What are the financial impacts of cryptocurrency-themed malicious extensions?
RQ4. What features can be used by anti-malware countermeasures to effectively distinguish cryptocurrency-themed malicious extensions?
5.1 RQ1: Status quo of malicious extensions.
Measurement of malicious extensions. We analyze the malicious extensions by examining their distributions, lifespans, targets, and the services they abuse.
Target browsers and distribution channels. Malicious extensions disproportionately target certain browsers, primarily Chrome and Chrome-based browsers, which account for 62.4% (116 out of 186) of all identified malicious extensions. Firefox accounts for 37.1% (69 out of 186), and Opera for 0.5% (1 out of 186). These extensions are distributed across the top five stores. No malicious extensions were found in the remaining four stores, likely due to their limited number of actively maintained extensions. The Chrome Web Store has the highest prevalence rate of malicious extensions (7.1%), despite strict vetting processes. This may be because Google’s policies make installing extensions from unknown sources difficult, forcing attackers to use the official store. The Guge extension store for Chrome-based browsers is also heavily targeted (6.5%).
Lifespan. We estimate the lifespan of malicious extensions based on their availability duration in stores, recording their initial and final appearances. We also record the number of updates per extension.
The emergence of new malicious extensions correlates with cryptocurrency market fluctuations; more appear when crypto-assets are more valuable. The lifespan distribution shows that 56.5% (105 out of 186) of malicious extensions are eventually removed by stores, compared to 12.5% (428 out of 3,413) of benign ones. More than 73% (136 out of 186) of malicious extensions remain available for more than one month, and more than half (71) persist for over a year. Official stores do not significantly outperform alternative stores in detecting and removing malicious extensions; only 19.6% (20 out of 102) on the Chrome Web Store and 43.5% (30 out of 69) on Firefox Add-ons are removed within a month. Malicious extensions update more frequently than benign ones, with median update frequencies of 0.21 versus 0.13 times per month.
These findings are surprising given the strict vetting mechanisms deployed by extension stores. We speculate that stores rely on generic malicious extension-detection techniques, which are less effective against malicious cryptocurrency extensions that often lack typical malicious attributes, such as code injection or malicious libraries. An analysis of VirusTotal’s antivirus engines shows that only 15.6% of our identified malicious extensions are detected by at least one antivirus tool at the time of our study. This underscores the need for detection techniques specifically tailored to cryptocurrency-themed malicious extensions, which we explore in Section Section 5.1.
Target Cryptocurrencies and Services.
We identified the cryptocurrencies and services targeted by malicious extensions by searching for their names within strings extracted from their crx/xpi packages and execution logs (see Section Section 3.2), using comprehensive lists from relevant ranking websites.4,5 Our analysis revealed 166 malicious extensions target at least one cryptocurrency, 72 target at least one cryptocurrency wallet, and 28 target at least one exchange. Popular cryptocurrencies and services are primary targets due to their large user bases and high trust levels. Less popular and trending ones are also exploited to deceive opportunistic users during fleeting market hype.
Specifically, 88.0% (146 out of 166) of cryptocurrency-targeting extensions focus on the top 30 cryptocurrencies by trading volume on CoinMarketCap. Similarly, 64.3% (18 out of 28) of exchange-targeting extensions focus on the top 30 exchanges by trading volume, including Bittrex, Binance, Poloniex, Kraken, HitBTC, Bitfinex, and Coinbase.
For cryptocurrency wallets, due to the lack of a formal popularity ranking, we calculated cumulative review counts from the Apple App Store and Google Play Store, designating wallets with more than 10,000 reviews as top popular ones. We found that 47.9% of the extensions target these popular wallets, including Exodus, Trust Wallet, MetaMask, SafePal, Atomic Wallet, and Coinbase Wallet.
Domains and registration information. We analyzed domain and registration data of domains used by malicious extensions, identifying 34 TLDs, 28 network operators, and 22 registrars. Common TLDs (.com, .net, .org) comprise 61.35%, but there’s increased use of cheaper, less-regulated TLDs like .xyz, .io, and .cn. Registrars such as NameCheap and MarkMonitor are more popular among malicious extensions than GoDaddy, despite having smaller market shares (9.4% and 0.8% vs. 52.6%).
Abused third-party services. From 186 malicious extensions, we identified 95 abused third-party services. Most fall into two categories: development services (41 out of 95, for example, fonts.googleapis.com) and cryptocurrency information/toolbox services (54 out of 95, for example, www.tradingview.com, connect.trezor.io). These services impose no restrictions on extensions using them, posing security threats if high-risk services are abused.
Linking developers of malicious extensions. To uncover potential collusion among malicious developers targeting cryptocurrency extensions, we analyze code structures, registration data, and transaction records:
-
Code similarity. We detect near-duplicate extensions by examining file structures and private libraries, suggesting they originate from the same developer.15
-
Malicious domains. We associate extensions if they share domain registrants or send credentials to the same domain.
-
Wallet addresses. We link developers controlling the same malicious wallet addresses by tracking transactions, including change addresses and multi-input transactions.11
From the 186 malicious extensions, we linked 56 to 17 developers, each responsible for at least two extensions. For example, one developer created seven phishing extensions from six accounts, targeting four wallets: Ledger Nano Wallet (3), Atomic Wallet (2), Coinbase Wallet (1), and Trust Wallet (1).
RQ2: Categorical characterization. We install the confirmed 186 malicious extensions in our confined testbed (see Section Section 3.2), interact with them, and inspect their behaviors.
Phishing extensions (65). The majority of phishing extensions (61 out of 65) impersonate legitimate extensions, while the remaining four forge Web pages. These phishing extensions are found exclusively in the official Chrome and Firefox stores, with Firefox being the primary target, accounting for 43 malicious extensions.
Impersonated services. Phishing extensions primarily impersonate wallet services. Of the 65 phishing extensions, 59 target wallets, 4 target exchanges, and 2 collect user information. They focus on popular wallets with large user bases, including Exodus Wallet (16 extensions), Trust Wallet (7), MetaMask Wallet (6), SafePal Wallet (4), Atomic Wallet (3), and hardware wallets such as Ledger Nano Wallet (3).
Malicious behaviors. These extensions steal victims’ wallet accounts or passwords, leading to full control over their wallets or accounts:
-
Wallet accounts: 57 extensions mimic wallet loading pages to harvest backup phrases.
-
Passwords: Six extensions mimic log-in pages to capture credentials.
Mining extensions (22). Despite official store bans by Chrome, Firefox, and Opera, more than half of the mining extensions (12 out of 22) circumvent restrictions and appear in these stores—Chrome (10), Firefox (1), and Opera (1). The remaining 10 are found in third-party stores, such as Crx4Chrome (8) and Guge (2).
Mined cryptocurrencies and mining pools. Most mining extensions (11 out of 22) mine Monero (XMR), likely due to its CPU-optimized RandomX algorithm. Despite lower efficiency, Bitcoin is also targeted by four extensions, which connect to popular mining pools such as Coinhive, CryptoLoot, CoinImp, Mineralt, MoneroOcean, CCG-Mining, and XMR Miners Club.
Malicious behaviors. At runtime, these extensions discreetly consume significant computational resources, often occupying more than 90% of CPU usage and frequently communicate with mining pools. Their malicious behaviors fall into three categories:
-
Mining unlocking (14 out of 22). Bypass store bans to provide users with in-browser mining functionality.
-
Mining plundering (3 out of 22). Exploit users’ computational resources to mine cryptocurrencies for attackers, for example, KMine.
-
Invalid Mining Blocking (5 out of 22). Claim to prevent in-browser mining but fail to do so.
Scam extensions (75). Scam extensions are the most prevalent category. They typically target popular platforms and cryptocurrencies to maximize illicit gains. The vast majority (54 out of 75) are developed for Chrome—50 on the Chrome Web Store and 4 on Guge—while the remaining 21 are for Firefox. Almost all these extensions target Bitcoin (56 instances) or Ethereum (30), with only 11 exceptions targeting others.
Malicious behaviors. The scam extensions exhibit eight diversified malicious behaviors targeting cryptocurrency users:
-
Account manager scam (22/75). Tricks victims into creating insecure wallets with compromised credentials such as private keys and backup phrases.
-
Cashback scam (10/75). Pretend to provide cashback for well-known merchants but never fulfill payback.
-
Shopping proxy scam (9/75). Redirect to disguised shopping agents; take cryptocurrency payments but never deliver goods.
-
Giveaway scam (9/75). Redirect to fake reward sites requiring insecure tasks such as visiting compromised sites or providing sensitive information.
-
Integrated service portal scam (9/75). Pretend to be cryptocurrency service portals but redirect to malicious sites.
-
False information scam (6/75). Mimic info providers with fake news or incorrect prices to deceive victims.
-
Investment scam (7/75). Lure victims with fraudulent high-yield investments or “promising” cryptocurrencies.
-
Address manipulation scam (3/75). Embed attacker-controlled wallet for fund transfer.
Adware extensions (16). The 16 adware extensions are identified from Chrome Web Store (13) and Firefox Add-ons (3). They conceal their malicious intentions under various services, including crypto-news platforms (7), coin price trackers (5), coin rewards providers (3), and blockchain forums (1).
Malicious behavior. When using adware extensions, victims will be presented with various types of target advertisements, such as shopping sites (7), games (6), and job markets (1). There are two ways of presenting the unconsented advertisements:
-
Redirected windows (10 out of 16). Advertisement windows launch as redirection pages when victims click on extension buttons.
-
Pop-up windows (6 out of 16). Advertisement windows are automatically triggered when users open the extensions.
Illicit services (8). The identified illicit service extensions mainly involve gambling and pornography. Most (5/8) pretend to be benign cryptocurrency exchanges with fake interfaces, while three directly market as online casinos. Users are redirected to online casinos or presented with pornographic content after clicking certain buttons, such as log-in.
RQ3. Financial impacts. This section investigates the financial losses caused by cryptocurrency-themed malicious extensions. Due to limited data availability, we focus on traceable transactions involving wallet addresses controlled by malware developers, which are identified from the malicious extensions. We study the characteristics of these wallet addresses, including transaction amounts and money flows.
Malicious addresses identification. We adopt a two-step approach to identify and further expand our list of malicious wallet addresses.
Extracting malicious seed addresses. We search the code bases of all identified malicious extensions for BTC and ETH wallet addresses using regular expressions. BTC addresses are matched using (1|3)[0-9a-km-zA-HJ-NP-Z]24,33 and (bc1)[0-9a-zA-HJ-NP-Z]39, while ETH addresses are matched using (0x)[0-9a-fA-F]40. We filter out invalid addresses using online verification tools (for example, AddressChecker), remove addresses associated with well-known services and benign purposes, and discard dead addresses with no transaction records. The remaining addresses, confirmed as malicious using online blacklists (for example, CryptoScamDB, BitcoinAbuse, and EtherScan), are denoted as seed addresses. We focus on transactions from and to each seed address within the lifecycle of the embedding extension to pin down the financial losses.
Identifying colluding addresses. Starting from each seed address, we expand our list by monitoring addresses controlled by the same entity, known as malicious-by-association.22 We treat addresses as colluding if a seed address transfers coins to another address immediately after receiving victim payments. We also mark outgoing fund-transfer addresses, change addresses, and multi-input transaction addresses11 with the seed address as malicious. For outgoing fund-transfer addresses, we track the next address using online tools (for example, WalletExplorer and OXT) until known services are reached or no further transactions are recorded, with a maximum search depth of 5. The expanded set is referred to as colluding addresses.
We identify 10 malicious BTC seed addresses with 38 colluding addresses, and 12 ETH seed addresses with 29 colluding addresses. Most (18/22) are embedded in distinct extensions from different developers, with 20/22 found in scam (15) and phishing (5) categories. No seed address is shared across extensions or developers.
5.3.2 Characterizing financial impacts.
Financial loss estimation. To estimate total financial losses, we calculate relevant incoming transactions to seed addresses during the lifespans of the malicious extensions, referred to as primary losses. We also calculate cumulative incoming transactions into colluding addresses over the same period as secondary losses, indicating potential impacts.
Based on BlockCypher transaction records, we tracked 1,070 transactions into seed addresses and 456 into colluding addresses. Most addresses have been active since 2013, accumulating 32.40 BTC and 26.28 ETH primary losses, and 18.32 BTC and 24.46 ETH secondary losses. These estimates are lower bounds due to limited data retrieval.
Transaction amounts vary significantly, from 0.00000003 to 21.39 BTC (median 0.00012 BTC) and 0.001 to 19.55 ETH (median 0.1 ETH), with a declining trend over time, likely due to coin appreciation. Transaction frequency per address also decreases, indicating user loss or extension removal.
Money-flow analysis. We further aim to demystify the dynamics of the involved illegal activities associated with the malicious extensions by answering: (1) Who is depositing into the malicious addresses? (2) Where is the money going? (3) How are the transactions/addresses connected?
Impacted victim estimation. We estimate the number of victims based on unique wallet addresses depositing into seed addresses during the same time frames used for financial loss estimation. We identified 989 victims, an upper bound considering potential multi-account ownership. However, due to the limited time of our evaluation (around a year), we merely reveal the tip of an iceberg, suggesting the significant impact on the cryptocurrency stakeholders in reality.
Money-flow tracking. We track transaction chains originating from malicious addresses, flowing into outgoing fund-transfer addresses until reaching well-known services, non-outgoing wallets, or the maximum search depth. We identified 134 exchanges/cryptocurrency mixing services (105 for BTC, 29 for ETH). Adversaries use multiple transaction chains and separate addresses to collect and assemble illicit income through two to three layers of manipulated transactions, obscuring money flows.
Address clustering. Using victim and money-flow information, we establish relationships among victims, attackers, and terminating services. Figure 2 shows nodes representing the four address types, with node sizes reflecting relative cryptocurrency amounts and edges representing transactions. Each seed address forms a transaction cluster, totaling 22 clusters (10 for BTC, 12 for ETH). Malicious addresses with many outgoing fund transfers are likely colluding accounts controlled by adversarial developers, relying on benign, untraceable services to launder and assemble illicit income. Malicious addresses without outgoing transfers are considered adversary-owned.
RQ4: Feature relevance. In this RQ, we seek to interpret the relevance and distinguishability of the features we used in each stage of malicious extension detection in Section 8, to facilitate the differentiation of the emerging malicious extensions by the users, and the detection by anti-malware mechanisms.
Features in preliminary filtering. User Reviews. Negative sentiment reviews are indicative of maliciousness among extensions. 17% of malicious extensions have at least one negative review, and 42% of extensions with negative reviews are malicious. Words strongly suggesting illegal activities (for example, theft”, cheat”, steal”) are at least twice as prevalent in malicious extensions compared to generically negative words (for example, bad”, “horrible”).
User reviews. Negative sentiment reviews are indicative of maliciousness among extensions. 17% of malicious extensions have at least one negative review, and 42% of extensions with negative reviews are malicious. Words strongly suggesting illegal activities (for example, theft”, cheat”, steal”) are at least twice as prevalent in malicious extensions compared to generically negative words (for example, bad”, “horrible”).
Ratings and download numbers. We examine the ratings and download numbers of 1,000 randomly selected benign extensions and all 186 confirmed malicious extensions. We present the following two findings that the users may consider before they download and install a cryptocurrency-themed extension.
-
Malicious extensions tend to have low download numbers (mostly less than 500), while benign ones often have 50,000 or more.
-
There is a large discrepancy in rating scores among malicious extensions. Some have very low ratings (0 to 1 star) due to victim complaints, while others have abnormally high ratings (4+ stars) attributed to fake scores. As a result, the proportion of 4+ star malicious extensions (45%) is comparable to benign extensions (40%). Users should avoid relying solely on rating scores.
Programmatic features for detection. We employ 33 programmatic features in our classifier (Section Section 3.1). To measure each feature’s relevance to malicious extensions, we calculate the Odds Ratio between our malicious extension set (186 extensions) and the benchmark benign-extension set (186 randomly sampled extensions). Table 1 shows the most (positively or negatively) relevant five permissions, function types, and variable types based on the absolute differences in Odds Ratios. Overall, most programmatic features (9/15) are negatively relevant to malicious extensions and positively relevant to benign ones.
|
Extension Types |
Permission |
Function Types |
Variable Types |
Browser API Types |
||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
P1 |
P2 |
P3 |
P4 |
P5 |
F1 |
F2 |
F3 |
F4 |
F5 |
V1 |
V2 |
V3 |
V4 |
V5 |
B1 |
B2 |
B3 |
B4 |
B5 |
|
|
Phishing |
9.51 |
0.26 |
0.18 |
0.20 |
0.35 |
0.62 |
1.81 |
2.95 |
2.79 |
2.01 |
0.21 |
0.98 |
0.55 |
0.89 |
1.42 |
2.84 |
0.00 |
0.00 |
1.13 |
0.00 |
|
Mining |
9.05 |
2.55 |
3.90 |
1.85 |
2.47 |
1.79 |
0.45 |
1.60 |
1.42 |
2.67 |
1.53 |
3.29 |
1.03 |
0.54 |
1.29 |
6.62 |
0.00 |
21.95 |
6.00 |
6.62 |
|
Scam |
2.52 |
0.83 |
2.72 |
0.98 |
0.73 |
0.50 |
4.24 |
1.14 |
1.00 |
1.51 |
0.55 |
1.35 |
0.65 |
1.00 |
0.42 |
0.00 |
2.21 |
0.00 |
1.33 |
2.21 |
|
Adware |
12.79 |
0.85 |
0.72 |
0.76 |
0.76 |
2.53 |
0.64 |
2.81 |
2.48 |
0.38 |
1.02 |
3.49 |
1.26 |
0.27 |
1.45 |
19.86 |
12.64 |
0.00 |
7.11 |
0.00 |
|
Gambling/Porn |
33.73 |
0.21 |
1.90 |
0.25 |
0.88 |
6.67 |
1.69 |
5.62 |
4.95 |
0.45 |
0.55 |
2.32 |
1.88 |
0.40 |
1.29 |
0.00 |
0.00 |
0.00 |
0.00 |
0.00 |
|
Malicious Overall |
3.26 |
0.63 |
1.52 |
0.69 |
0.75 |
0.21 |
2.30 |
1.92 |
1.74 |
1.62 |
0.55 |
1.41 |
0.71 |
0.80 |
0.89 |
4.11 |
2.44 |
2.44 |
2.36 |
1.62 |
|
Benign |
0.31 |
1.58 |
0.66 |
1.45 |
1.34 |
4.67 |
0.43 |
0.52 |
0.57 |
0.62 |
1.83 |
0.71 |
1.40 |
1.25 |
1.12 |
0.24 |
0.41 |
0.41 |
0.42 |
0.62 |
Permissions. The file access permission (P1) shows high positive relevance among all malicious extension categories, indicating their general interest in accessing user files. In contrast, they are less engaged in Web communication (P2-P5), given their primary goal of executing carefully designed malicious behaviors. Mining extensions are an exception, as they constantly visit mining pools and intensively utilize Web communication permissions.
AST features. Four function types (F2-F4) and one variable type (V2) show positive relevance, indicating that malicious extensions tend to leverage a particular set of functions to implement their malicious logic, rather than other diversified features such as Web communication (for example, F1).
5.4.3 Features for confirmation.
Malicious elements. Nearly half of the identified malicious extensions embed malicious URLs or wallet addresses. Scam extensions embed malicious wallet addresses as the recipient of victim transactions. Phishing extensions embed malicious URLs to intercept victim credentials. Mining extensions embed malicious pool addresses for task retrieval and attacker wallet addresses to harvest mined cryptocurrencies. Adware/porn/gambling extensions embed malicious URLs to redirect victims to illegal services.
Network-level features. Communicating with malicious domains is prevalent among phishing and mining extensions, but each communicates with only one or two malicious domains among many benign domains to hide their activities. For example, the phishing extension Coinbase Wallet connects to one malicious domain among 45 total domains, and the mining extension KMine connects to two among 27 domains.
System-level features. High system-resource consumption is exhibited by 42% of mining extensions, with more than 90% CPU utilization at runtime, but is less typical among other categories. For example, Monero Browser Crypto Miner and earnsurfing use up to 90% CPU on average, while the phishing extension Atomic Wallet uses up to 30% and the benign extension MetaMask uses merely 17%.
Invoked browser APIs are also used as features for malicious extension detection.17 We study their effectiveness and relevance based on our dataset, with Odds Ratio values listed in Table 1.
6. Related Work
There is rich literature on malicious extension detection, leveraging various techniques including static, dynamic, and hybrid analysis. Pantelaios et al.16 proposed a static detection system that targets the delta of the extensions. It monitored nearly one million extensions and identified 143 malicious ones. Somé et al.17 constructed a static analyzer and identified 197 vulnerable extensions that allow Web applications to abuse their privileges, including accessing APIs and sensitive user data. Prior to this work, the misuse of excessive permissions has raised attention from the research community.12 Various techniques have been proposed to detect such vulnerabilities.1
Dynamic analysis has shown effectiveness for identifying malicious extensions through monitoring extension behaviors. Hulk10 triggers and detects malicious behaviors through carefully crafted web pages. It discovered 130 malicious extensions. Thomas et al.19 proposed a multi-staged pipeline to capture the malicious activities and characterize the revenue chain associated with the advertisement-injection extensions. Xing et al.24 propose a framework named Expector to facilitate the detection of advertisement injection among extensions.
Jagpal et al.15 designed and implemented a malicious extension detection system, leveraging hybrid analysis on extensive dimensions through static and dynamic analysis. In comparison, our proposed approach targets the malicious behaviors specific to the cryptocurrency-themed malicious extensions. Additionally, we cover a wider evaluation and filtering dimensions including dynamics of user reviews, number of downloads, online times, and so on.
7. Conclusion
In this work, we characterize the cryptocurrency-themed malicious extensions. Specifically, we continuously monitor various extension stores for 18 months and collect cryptocurrency themed extensions. Leveraging a lightweight detection approach, we identify 186 malicious extensions. We then reveal their distributions and development ecosystem, categories, financial implications, and defining features. To the best of our knowledge, this is the first systematic study of the status quo of cryptocurrency-themed malicious extensions. Our work should raise an alert to the extension users, and would encourage the extension store operators to enact dedicated countermeasures.