A new Google Chrome extension used to steal bitcoin (BTC) was recently discovered, it is called CryptoCashBack (CCB).

Fortunately, it was properly removed from the Google store.

The extension was interested in stealing crypto, including BTC, ETH, BCH, BNB, LTC, XRP and ETC.

Once installed, CryptoCashBack required the access to several websites and services like Github, Exmo, Coinbase, Binance, HitBTC, LocalBitcoins and other famous exchanges and platforms.

The extension was so powerful that, depending on the website, it was able to steal all the credentials including the 2FA code, thus managing to bypass even the security needed when one wants to withdraw their cryptocurrencies from a wallet or an exchange.

In fact, analyzing the code of the extension, it can be seen that the data (login and password) were saved on the string “localStorage.getItem”, which sent them directly to the website of the hacker without this operation being visible or blocking the hacked website.

The various addresses where the stolen cryptocurrencies were redirected have been traced:

  • BTC – 16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S
  • ETH – 0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca
  • BCH – 1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3
  • LTC – LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP
  • BNB – 0x03B70DC31abF9cF6C1cf80bfEEB322E8D3DBB4ca
  • XRP – rGmdGrMjvxt6S3VjF4M78U2YMLPR6XLPSN
  • ETC – 0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5

The damage is for a total of over 23 BTCs accumulated since the launch of the extension on December 3rd.

Both the extension and the website (with the relative addresses of the authors) have been taken offline, so now there is no longer the risk of becoming a victim of the fraud.

Google has also warned the exchanges of the incident to take action.

For those affected, the only way to be safe again is to change all the credentials of your wallets and exchanges.