Fake Browser Extension Drains Crypto Wallets via Address Swapping

Cybersecurity researchers have identified a campaign called Silent Swap that employs malicious browser extensions to hijack cryptocurrency transactions. The extensions, including one disguised as a Google Notes tool, silently replace wallet addresses when users initiate transfers, diverting funds to attacker-controlled wallets.

McAfee Labs, which codenamed the activity, reports the campaign uses unsigned installers available in .NET and Golang variants. The scale of the threat remains unclear, though the focus on browser-based clippers signals a growing trend of targeting transaction workflows rather than compromising wallets directly.

The attack vector hinges on users installing the fake extension through social engineering or compromised distribution channels. Once active, the clipper monitors clipboard data and substitutes the intended wallet address with one belonging to the attacker at the moment of a transaction, making the theft difficult to detect before funds are lost.

No official patches or mitigation steps from browser vendors or blockchain platforms have been disclosed as of publication. Users are advised to verify the authenticity of any extension before installation, particularly those requesting permissions to read clipboard data or modify web content.

Attribution for the campaign has not been publicly linked to a specific threat actor. This incident adds to a broader landscape of cryptojacking and address-clipping schemes that have escalated as cryptocurrency adoption continues to grow.