Cybersecurity researchers at McAfee Labs have detailed an ongoing campaign targeting cryptocurrency users through a malicious browser extension that silently replaces wallet addresses at the moment a transaction is initiated. The operation, which the team has dubbed Silent Swap, represents a classic clipper attack modernized for the browser extension ecosystem.
How the Attack Works
The campaign is distributed via unsigned installers, with researchers observing two distinct variants written in .NET and Golang respectively. Once installed, the extension masquerades as a legitimate Google Notes tool, giving users little reason to suspect malicious activity.
The core mechanism is address substitution. When a victim copies a cryptocurrency wallet address and initiates a transfer, the extension intercepts the clipboard contents and replaces the destination address with one controlled by the attacker. Because wallet addresses are long alphanumeric strings that most users do not verify character by character, the substitution typically goes unnoticed until funds are lost.
Why This Campaign Is Notable
The use of a fake productivity extension as the delivery vehicle is a deliberate social engineering choice. Browser extensions operate with elevated access to page content and clipboard data, making them particularly well-suited for this type of credential and transaction interception. The availability of two separate installer variants, one in .NET and one in Golang, suggests the threat actors are actively iterating on their tooling or targeting different victim environments.
Unsigned installers are a key indicator of compromise in this campaign. Security teams should ensure endpoint policies flag or block the installation of unsigned browser extensions and third-party software packages, particularly in environments where users handle cryptocurrency transactions.
Recommendations
- Verify browser extensions only come from official, verified sources such as the Chrome Web Store or equivalent vetted repositories.
- Always manually confirm the full wallet address on both the sending application and the recipient confirmation screen before approving any transaction.
- Enforce application whitelisting and unsigned installer blocking at the endpoint level.
- Review installed extensions across managed devices for any unfamiliar or recently added tools.
Clipboard hijacking targeting cryptocurrency users is not new, but embedding that capability inside a browser extension with a convincing cover identity lowers the barrier to infection and raises the difficulty of detection. Security professionals should treat any unexpected extension installation as a potential indicator of compromise, especially in high-value financial contexts.
