top of page
perceptive_background_267k.jpg

Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool

Published:

13 January 2026 at 17:22:00

Alert date:

13 January 2026 at 18:02:00

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Ransomware & Malware, Data Breach & Exfiltration

Cybersecurity researchers discovered a malicious Google Chrome extension named MEXC API Automator that steals API keys from MEXC cryptocurrency exchange users. The extension masquerades as a legitimate trading automation tool while secretly harvesting sensitive API credentials. Despite having only 29 downloads, the extension remains available on the Chrome Web Store. The malware targets users of MEXC, a centralized cryptocurrency exchange operating in over 170 countries. This represents a significant threat to cryptocurrency traders who use browser extensions for trading automation.

Technical details

The malicious Chrome extension MEXC API Automator operates by injecting a content script (script.js) when users navigate to MEXC's API management page (URL containing '/user/openapi'). The extension programmatically creates new API keys, enables withdrawal permissions while hiding this in the UI to deceive users, and exfiltrates the Access Key and Secret Key to a hardcoded Telegram bot via HTTPS POST request. The attack leverages already authenticated browser sessions, bypassing password and authentication protections.

Mitigation steps:

Users should immediately check for and remove the MEXC API Automator extension from Chrome browser, revoke any API keys that may have been compromised, review MEXC account activity for unauthorized trades or withdrawals, and avoid installing browser extensions for cryptocurrency trading from unverified sources.

Affected products:

Google Chrome browser
MEXC cryptocurrency exchange
Chrome extension: MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh)

Related links:

https://www.mexc.co/en-IN/learn/article/mexc-restricted-countries-complete-list-of-prohibited-limited-regions/1
https://www.mexc.co/en-IN/user/openapi
https://x.com/jorjortan142
https://www.tiktok.com/@swapsushi
https://www.youtube.com/channel/UCJkCI3-1_pr_A8jcMn4G8aw

Related CVE's:

Related threat actors:

IOC's:

Chrome extension ID: pppdfgkfdemgfknfnhpkibbkabhghhfh, Extension name: MEXC API Automator, Developer: jorjortan142, Script filename: script.js, URL pattern check: /user/openapi, Telegram bot: SwapSushiBot, X handle: @jorjortan142, TikTok account: @swapsushi, YouTube channel: UCJkCI3-1_pr_A8jcMn4G8aw

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page