Posted in

Silent Swap Malware Uses Browser Extensions to Steal Cryptocurrency

Cybersecurity researchers have uncovered a sophisticated cryptocurrency theft campaign known as Silent Swap, which uses malicious browser extensions to secretly replace copied cryptocurrency wallet addresses. The attack can redirect digital assets to attacker-controlled wallets without victims realizing it until it’s too late.

The campaign highlights how cybercriminals are evolving beyond traditional malware by combining stealth installation techniques, blockchain-based infrastructure, and dynamic wallet replacement.

How Silent Swap Works

The malware is distributed through unsigned installers, available in both .NET and Golang versions. These installers disguise themselves as legitimate software before secretly deploying a malicious Chromium browser extension that appears to be a harmless utility called Google Notes.

Once executed, the installer scans the system for Chromium-based browsers such as:

  • Google Chrome
  • Microsoft Edge
  • Brave
  • Vivaldi
  • Opera

For every detected browser profile, the malware forcefully closes the browser and modifies protected configuration files, including Secure Preferences and Preferences, allowing the malicious extension to be installed without the user’s knowledge.

Clipboard Hijacking to Steal Cryptocurrency

After installation, the fake extension requests permissions to:

  • Access the clipboard
  • Read browsing history
  • Access all websites

These permissions allow the extension to monitor copied cryptocurrency wallet addresses. Whenever a user copies a wallet address to send funds, the malware silently replaces it with an attacker-controlled address before the transaction is completed.

Since cryptocurrency transactions are generally irreversible, victims may permanently lose their funds if they fail to verify the destination address.

Blockchain Powers the Malware’s Infrastructure

One of the campaign’s most advanced features is its use of EtherHiding, a technique that leverages blockchain smart contracts as a decentralized command-and-control (C2) lookup system.

Instead of relying on fixed servers that can be blocked or taken offline, the malware retrieves its active server information from blockchain data. Attackers only need to update a smart contract to redirect infected systems to a new server, making the infrastructure significantly more resilient.

Bypassing Browser Security

Modern Chromium browsers verify extension integrity using hashes and security validation stored in protected configuration files.

Silent Swap bypasses these protections by recalculating and updating the security values after modifying browser settings. As a result, the browser believes the malicious extension was installed legitimately.

The malware also attempts to:

  • Enable Developer Mode in Brave and Opera
  • Delete the installer after execution
  • Load automatically whenever the browser starts

These techniques reduce visible indicators of compromise and help the malware remain undetected.

Dynamic Wallet Replacement Makes Detection Harder

Unlike older clipboard hijackers that always substituted the same wallet address, Silent Swap uses a server-side mapping system.

When a victim copies a wallet address, the extension sends it to the attacker’s server, which returns a unique replacement address. If communication with the server fails, the malware switches to a built-in backup wallet address to continue stealing funds.

Researchers found support for several popular cryptocurrencies, including:

  • Bitcoin (BTC)
  • Ethereum (ETH)
  • Bitcoin Cash (BCH)
  • Ripple (XRP)
  • Dash (DASH)
  • Solana (SOL)

Interestingly, every submitted Solana wallet was redirected to a single attacker-controlled address that held approximately $1,900 at the time of the investigation.

Victims Found Worldwide

Telemetry data indicates that Silent Swap has infected users across multiple countries.

The highest concentration of victims was observed in India, followed by:

  • United States
  • Brazil
  • Indonesia
  • Spain

Researchers also believe the campaign shares similarities with previously observed cryptocurrency clipper operations, suggesting it may be linked to an established threat actor.

Fake VPN Browser Extensions Also Steal Clipboard Data

In a separate discovery, security researchers identified two malicious browser extensions named “VPN Go: Free VPN” that were available on both the Chrome Web Store and Mozilla Firefox Add-ons marketplace.

Although these extensions provided functional proxy services, they secretly monitored users’ clipboards and transmitted copied data to attacker-controlled servers.

The stolen information included:

  • Cryptocurrency wallet addresses
  • Passwords
  • One-time authentication codes
  • API keys
  • OAuth tokens
  • Recovery seed phrases

Malicious Updates Introduced the Threat

The attackers used a staged update strategy to avoid detection.

Initially, they published clean versions of the VPN extensions to build trust and pass store reviews. Later updates quietly introduced the clipboard-stealing functionality.

Researchers observed that newer versions also changed their data exfiltration servers, allowing attackers to rotate infrastructure without removing the extensions.

How to Stay Protected

To reduce the risk of cryptocurrency theft through browser extensions:

  • Install browser extensions only from trusted developers.
  • Carefully review requested permissions before installation.
  • Verify cryptocurrency wallet addresses before confirming every transaction.
  • Keep browsers and security software updated.
  • Avoid enabling Developer Mode unless absolutely necessary.
  • Remove suspicious extensions immediately.

If you previously installed the affected VPN extensions, security experts recommend uninstalling them immediately and treating any passwords, authentication codes, wallet addresses, or recovery phrases copied while the extension was active as potentially compromised.

Final Thoughts

Silent Swap demonstrates how browser-based malware is becoming more advanced, combining decentralized infrastructure, stealthy installation methods, and dynamic wallet replacement to maximize cryptocurrency theft while avoiding detection.

As digital assets continue to gain popularity, users should remain cautious when installing browser extensions, verify wallet addresses before every transaction, and regularly audit installed extensions to reduce the risk of financial loss.

Leave a Reply

Your email address will not be published. Required fields are marked *