A malicious Chrome extension steals newly created MEXC API keys, exfiltrates them to Telegram, and enables full account takeover with trading and withdrawal rig…
Published:
12 January 2026 at 21:34:54
Alert date:
12 January 2026 at 23:02:09
Source:
socket.dev
Web Technologies, Supply Chain & Dependencies, Ransomware & Malware, Data Breach & Exfiltration
Socket's Threat Research Team identified a malicious Chrome extension called 'MEXC API Automator' that steals API keys from the MEXC cryptocurrency exchange. The extension, published by threat actor 'jorjortan142', automates API key creation while secretly enabling withdrawal permissions and hiding this from users. It exfiltrates stolen API keys and secrets to a hardcoded Telegram bot, giving attackers full account control including trading and withdrawal capabilities. The extension remains active on Chrome Web Store and targets multiple languages to reach a global victim base.
Technical details
The MEXC API Automator Chrome extension operates by injecting a malicious script into MEXC's API management page (*://mexc.com/user/openapi*). When users visit this page, the extension automatically: 1) Programmatically selects all available permission checkboxes including withdrawal permissions, 2) Creates new API keys with full permissions, 3) Uses CSS manipulation and DOM monitoring to hide the withdrawal permission checkbox from the UI while keeping it enabled server-side, 4) Extracts API keys and secrets from the success modal after creation, 5) Exfiltrates credentials via HTTPS POST requests to a hardcoded Telegram bot (7534112291:AAF46jJWWo95XsRWkzcPevHW7XNo6cqKG9I) at chat ID 6526634583. The extension includes multi-language support and uses mutation observers to maintain the deceptive UI state.
Mitigation steps:
1) Immediately remove the MEXC API Automator extension from all browsers, 2) Audit and remove any untrusted browser extensions that manage API keys or automate trading, 3) Revoke any API keys created while the extension was installed, 4) Review MEXC account logs for suspicious trading or withdrawal activity, 5) Implement centrally managed browser policies and extension allowlists, 6) Store API keys in dedicated secret management systems, 7) Rotate API keys regularly and monitor for anomalous activity, 8) Use Socket's Chrome extension protection to inventory and monitor browser extensions, 9) Treat browser extensions as part of software supply chain inventory
Affected products:
Chrome Browser (extensions)
MEXC Cryptocurrency Exchange
Google Chrome Web Store
Related links:
https://socket.dev/chrome/package/pppdfgkfdemgfknfnhpkibbkabhghhfh
https://chromewebstore.google.com/detail/mexc-api-automator/pppdfgkfdemgfknfnhpkibbkabhghhfh
https://socket.dev/chrome/package/pppdfgkfdemgfknfnhpkibbkabhghhfh/files/1.0/script.js
https://socket.dev/chrome/package/pppdfgkfdemgfknfnhpkibbkabhghhfh/files/1.0/script.js#L45
https://socket.dev/chrome/package/pppdfgkfdemgfknfnhpkibbkabhghhfh/files/1.0/script.js#L318
https://socket.dev/chrome/package/pppdfgkfdemgfknfnhpkibbkabhghhfh/files/1.0/manifest.json#L18
https://socket.dev/chrome/package/pppdfgkfdemgfknfnhpkibbkabhghhfh/files/1.0/script.js#L123
https://x.com/jorjortan142
https://socket.dev/blog/socket-now-protects-the-chrome-extension-ecosystem
Related CVE's:
Related threat actors:
IOC's:
Chrome Extension ID: pppdfgkfdemgfknfnhpkibbkabhghhfh, Chrome Extension Name: MEXC API Automator, Email: jorjortan142@gmail.com, Telegram Bot Token: 7534112291:AAF46jJWWo95XsRWkzcPevHW7XNo6cqKG9I, Telegram Chat ID: 6526634583, Domain: swapsushi.net, Telegram Bot: t.me/swapsushibot, Twitter/X Account: @jorjortan142, YouTube Channel: UC22QT_xOrH9PWhORCkjGI_A
This article was created with the assistance of AI technology by Perceptive.