
The Wolf in Sheep's Clothing: Analysis of Fake Chrome Extensions Theft
TechFlow Selected TechFlow Selected

The Wolf in Sheep's Clothing: Analysis of Fake Chrome Extensions Theft
When walking through the dark forest of blockchain, maintain a skeptical mindset and ensure that what you install is secure.
Authors: Shan, Thinking, SlowMist Security Team
Background
On March 1, 2024, Twitter user @doomxbt reported unusual activity in their Binance account, with funds appearing to be stolen:

(https://x.com/doomxbt/status/1763237654965920175)
Initially, this incident did not attract much attention. However, on May 28, 2024, Twitter user @Tree_of_Alpha analyzed and discovered that the victim @doomxbt likely installed a malicious Aggr browser extension from the Chrome Web Store—despite it having many positive reviews. This extension could steal all cookies from websites visited by the user, and two months prior, someone had paid influencers to promote it.

(https://x.com/Tree_of_Alpha/status/1795403185349099740)
In recent days, awareness of this incident has increased. Victims’ login credentials were stolen, after which hackers used wash trading to steal their cryptocurrency assets. Many users have since reached out to the SlowMist security team for clarification. Below, we provide a detailed analysis of this attack to sound the alarm for the crypto community.
Analysis
First, we needed to locate the malicious extension. Although Google has already removed it from the Chrome Web Store, we were able to retrieve historical data via web snapshots.

After downloading and analyzing the extension, we found its directory contained the following JavaScript files: background.js, content.js, jquery-3.6.0.min.js, and jquery-3.5.1.min.js.
During static analysis, we observed that background.js and content.js contained relatively simple code without obvious malicious logic. However, within background.js, we identified a suspicious URL to which the extension sent collected data: https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.

By examining the manifest.json file, we noticed that the background script loaded /jquery/jquery-3.6.0.min.js, while the content script loaded /jquery/jquery-3.5.1.min.js. We therefore focused our analysis on these two jQuery files:

Within jquery/jquery-3.6.0.min.js, we discovered suspicious malicious code. This code collects browser cookies, packages them into JSON format, and sends them to https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.

After completing static analysis, we proceeded to install and debug the extension to more accurately observe its data-exfiltration behavior. (Note: This analysis must be conducted in a clean test environment with no logged-in accounts. Additionally, redirect the malicious endpoint to a controlled server to prevent accidental leakage of sensitive data during testing.)
After installing the malicious extension in our test environment and visiting a site such as google.com, we monitored network requests from the extension’s background script and observed that Google cookies were being transmitted to an external server:

We also observed the exfiltrated cookie data on our Weblog service:

At this point, if attackers obtain user authentication credentials via browser extension cookie hijacking, they can perform wash trades on exchange platforms to steal victims' cryptocurrency assets.
Next, we analyzed the data collection endpoint: https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.
Domain involved: aggrtrade-extension[.]com

Analyzing the domain information above:

The .ru TLD suggests a typical Russian-speaking user base, indicating the attackers are likely from Russia or Eastern Europe.
Attack Timeline:
Analyzing the spoofed AGGR website (aggr.trade), aggrtrade-extension[.]com, we discovered the attackers began planning this operation three years ago:


Four months ago, the attackers deployed infrastructure:



According to InMist threat intelligence network data, the attacker's IP is located in Moscow, using a VPS provided by srvape.com, with the email address [email protected].

After successful deployment, the attackers began promoting the extension on Twitter, waiting for victims to install it. The rest, as they say, is history—some users installed the malicious extension and subsequently suffered theft.
Below is the official warning from AggrTrade:

Conclusion
The SlowMist security team reminds all users that the risks associated with browser extensions are nearly as high as running executable files. Always conduct thorough reviews before installing any extension. Be cautious of unsolicited direct messages—hackers and scammers often impersonate legitimate, well-known projects, offering funding or promotion opportunities to target content creators. Finally, when navigating the dark forest of blockchain, maintain constant skepticism. Ensure everything you install is trustworthy, leaving no opportunity for attackers to exploit.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News










