This article is more than 1 year old

Bitcoin hijackers found at least one sucker for scam Chrome extension

Victim of 'FacexWorm' malware clicked on random link from Facebook Messenger

Security researchers have caught a Bitcoin-hijacking Chrome extension that only managed to grab one BitCoin transaction before being exposed.

Trend Micro researchers said the malicious extensions used an attack technique that first emerged last year, dubbed FacexWorm, and added that they noticed re-emerging activity earlier this month.

FacexWorm propagates in malicious Facebook Messenger messages, the company said, and only attacks Chrome; if another browser is detected, the user is directed to an innocuous-looking advertisement.

Victims were tricked into installing the malicious extension as a codec extension, offered when they clicked a Facebook Messenger link to a YouTube video.

“FacexWorm is a clone of a normal Chrome extension but injected with short code containing its main routine,” the post said. “It downloads additional JavaScript code from the C&C server when the browser is opened. Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviours on that webpage”.

FacexWorm infection chain

The FacexWorm infection chain. Click to enlarge

To that are added the ability to steal account credentials for websites of interest to FacexWorm, while redirecting victims to cryptocurrency scams. The Trend post added that it also “injects malicious mining codes on the webpage, redirects to the attacker’s referral link for cryptocurrency-related referral programs, and hijacks transactions in trading platforms and web wallets by replacing the recipient address with the attacker’s.”

In case it got nowhere trying to hijack transactions, the extension would also try to pick up pennies with referral scams targeting Binance, DigitalOcean,,, HashFlare, and others.

Once infected with the extension, a user searching for cryptocurrency-related words in the URL bar – “blockchain” or “ethereum”, for example – would be hijacked to a fraudulent page. That page asks users to send 0.5 to 10 ether to the attackers wallet “for verification”, promising 5-100 ether in return. “We have so far not found anyone who has sent ETH to the attacker’s address,” Trend's researchers said.

It seems there's a limit to peoples' folly, after all. ®

More about


Send us news

Other stories you might like