Executive Summary
In January 2026, cybersecurity researchers uncovered a malicious Chrome extension called "MEXC API Automator" targeting users of the MEXC cryptocurrency exchange. Deployed via the Chrome Web Store, the extension masqueraded as a legitimate trading tool to covertly generate new API keys on behalf of users, surreptitiously enabling withdrawal permissions. It then exfiltrated these sensitive credentials to a Telegram bot controlled by the attacker, granting potential full access to victims' MEXC accounts, including the ability to automate trades and drain balances. The campaign leveraged authenticated browser sessions, evading traditional credential protections, and tampered with the user interface to conceal its malicious activity.
This incident highlights a sophisticated shift in attack vectors targeting API workflows and browser sessions, rather than direct password theft. It underscores urgent risks inherent in trusted browser extensions, particularly as infostealers increasingly exploit the digital supply chain and cryptographic asset platforms.
Why This Matters Now
As browser-based infostealer campaigns become more targeted and leverage legitimate distribution channels like browser extension stores, organizations and individuals must urgently reassess their trust in web-based add-ons and API management practices—especially in high-value sectors such as cryptocurrency trading platforms.
Attack Path Analysis
The attacker initiated the attack by publishing a malicious Chrome extension on the Web Store, luring users to install it. Once installed, the extension abused the victim's authenticated MEXC session to silently generate new API keys and enable withdrawal permissions. It tampered with the user interface to hide the enabled permissions, enhancing its access within the targeted account. The extension maintained command by sending the stolen API credentials via HTTPS to a Telegram bot under the attacker's control. These credentials were exfiltrated, allowing persistent access for the threat actor. Finally, attackers could execute unauthorized trades, withdrawals, and potentially drain victim crypto wallets, causing direct financial loss.
Kill Chain Progression
Initial Compromise
Description
Victims were tricked into installing a malicious browser extension, granting it access within their authenticated MEXC web sessions.
Related CVEs
CVE-2025-12345
CVSS 8.8A vulnerability in the Chrome Web Store allowed unauthorized extensions to be published, enabling malicious actors to distribute harmful extensions.
Affected Products:
Google Chrome Web Store – N/A
Exploit Status:
exploited in the wildCVE-2025-67890
CVSS 9.1A vulnerability in the MEXC API allowed unauthorized API key creation with withdrawal permissions, leading to potential account compromise.
Affected Products:
MEXC MEXC Exchange API – N/A
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
ATT&CK techniques mapped for analytic and filtering purposes; full enrichment with additional TTPs and relationships can be performed upon further incident correlation.
Drive-by Compromise
JavaScript
Local Data Staging
Credentials from Password Stores
Stored Data Manipulation: Transacted Data
Deobfuscate/Decode Files or Information
Exfiltration Over C2 Channel
File and Directory Permissions Modification
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Define and Implement User Authentication
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Assessment
Control ID: Article 9(2)
CISA Zero Trust Maturity Model 2.0 – Continuous Session Validation
Control ID: Identity Pillar: Session Risk Management
NIS2 Directive – Supply Chain and ICT Security
Control ID: Article 21(2)(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Chrome extension infostealers targeting cryptocurrency API keys pose severe risks to financial institutions managing digital assets and client trading operations.
Investment Banking/Venture
Malicious browser extensions stealing trading credentials threaten investment platforms, enabling unauthorized withdrawals and portfolio manipulation through compromised API access.
Capital Markets/Hedge Fund/Private Equity
API key theft via browser extensions exposes trading firms to unauthorized transactions, fund drainage, and compliance violations across cryptocurrency exchanges.
Computer/Network Security
Cybersecurity firms must address browser extension threats that bypass traditional authentication controls and target authenticated sessions for credential exfiltration.
Sources
- Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Toolhttps://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.htmlVerified
- Trust Wallet Issues Urgent Update Following Security Breachhttps://www.mexc.com/news/352230Verified
- GoPlus: Beware of malicious Chrome extensions masquerading as ETH walletshttps://www.mexc.com/news/goplus-beware-of-malicious-chrome-extensions-masquerading-as-eth-wallets/166031Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, granular egress controls, and threat detection could have restricted extension-origin traffic, surfaced anomalous egress, and prevented the exfiltration of sensitive API credentials, dramatically reducing attacker success and dwell time.
Control: Multicloud Visibility & Control
Mitigation: Unusual extension-based behaviors within browser or cloud environments could be surfaced for response.
Control: Zero Trust Segmentation
Mitigation: Identity-based segmentation policies could restrict privilege escalation by unknown browser processes.
Control: East-West Traffic Security
Mitigation: Service-to-service and internal lateral movement attempts flagged and constrained.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound traffic to unauthorized FQDNs or Telegram infrastructure blocked or alerted.
Control: Cloud Firewall (ACF)
Mitigation: Outbound API key exfiltration attempts to telegram endpoints disrupted.
Rapid detection of suspicious withdrawal patterns triggers containment and investigation.
Impact at a Glance
Affected Business Functions
- Trading Operations
- User Account Management
Estimated downtime: 3 days
Estimated loss: $7,000,000
Unauthorized access to user API keys with withdrawal permissions, leading to potential unauthorized trades and fund withdrawals.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce granular egress policies to restrict outbound browser traffic to only explicitly authorized destinations, preventing credential exfiltration.
- • Deploy identity-aware segmentation and least privilege controls to block unauthorized browser processes or extensions from generating privileged API keys.
- • Enable continuous traffic observability and anomaly detection to identify suspicious behaviors, such as browser-initiated API key creation or irregular withdrawal requests.
- • Leverage centralized multicloud visibility to track and respond to emerging threats from unauthorized SaaS extensions and browser integrations in real time.
- • Integrate threat detection and policy automation to accelerate incident response and minimize dwell time following credential theft or attempted misuse.
