Jan 13, 2026Ravie LakshmananWeb Safety / On-line Fraud
Cybersecurity researchers have disclosed particulars of a malicious Google Chrome extension that is able to stealing API keys related to MEXC, a centralized cryptocurrency change (CEX) out there in over 170 nations, whereas masquerading as a instrument to automate buying and selling on the platform.
The extension, named MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh), has 29 downloads and continues to be out there on the Chrome Net Retailer as of writing. It was first printed on September 1, 2025, by a developer named “jorjortan142.”
“The extension programmatically creates new MEXC API keys, allows withdrawal permissions, hides that permission within the person interface (UI), and exfiltrates the ensuing API key and secret to a hardcoded Telegram bot managed by the menace actor,” Socket safety researcher Kirill Boychenko mentioned in an evaluation.
In keeping with the Chrome Net Retailer itemizing, the online browser add-on is described as an extension that “simplifies connecting your buying and selling bot to the MEXC change” by producing the API keys with the mandatory permissions on the administration web page, together with to facilitate buying and selling and withdrawals.
In doing so, the put in extension allows a menace actor to manage any MEXC account accessed from the compromised browser, permitting them to execute trades, carry out automated withdrawals, and even drain the wallets and balances reachable by the service.
“In observe, as quickly because the person navigates to MEXC’s API administration web page, the extension injects a single content material script, script.js, and begins working contained in the already authenticated MEXC session,” Socket added. To attain this, the extension checks if the present URL accommodates the string “/person/openapi,” which refers back to the API key administration web page.
The script then programmatically creates a brand new API key and ensures that withdrawal functionality is enabled. On the identical time, it tampers with the web page’s person interface to present the impression to the person that the withdrawal permission has been disabled. As quickly as the method to generate the Entry Key and Secret Secret’s full, the script extracts each the values and transmits them to a hard-coded Telegram bot underneath the menace actor’s management utilizing an HTTPS POST request.
The menace poses a extreme threat, because it stays energetic so long as the keys are legitimate and never revoked, granting the attackers unfettered entry to the sufferer’s account even when they find yourself uninstalling the extension from the Chrome browser.
“In impact, the menace actor makes use of the Chrome Net Retailer because the supply mechanism, the MEXC internet UI because the execution setting, and Telegram because the exfiltration channel,” Boychenko famous. “The result’s a purpose-built credential-stealing extension that targets MEXC API keys in the meanwhile they’re created and configured with full permissions.”
The assault is made doable by the truth that it leverages an already authenticated browser session to comprehend its targets, thereby obviating the necessity for acquiring a person’s password or bypassing authentication protections.
It is at the moment not clear who’s behind the operation, however a reference to “jorjortan142” factors to an X deal with with the identical identify that hyperlinks to a Telegram bot named SwapSushiBot, which can be promoted throughout TikTok and YouTube. The YouTube channel was created on August 17, 2025.
“By hijacking a single API workflow contained in the browser, menace actors can bypass many conventional controls and go straight for lengthy lived API keys with withdrawal rights,” Socket mentioned. “The identical playbook will be readily tailored to different exchanges, DeFi dashboards, dealer portals, and any internet console that points tokens in session, and future variants are more likely to introduce heavier obfuscation, request broader browser permissions, and bundle assist for a number of platforms right into a single extension.”
