Millions of internet users who rely on their web browsers for daily work and financial transactions have been put on alert after a trusted Chrome extension was found to have turned into a vehicle for cyber theft. The extension, which allowed users to perform on-screen image searches similar to Google Lens, was reportedly compromised and used to steal cryptocurrency wallet credentials and login data.
The issue surfaced when cybersecurity researchers detected suspicious scripts embedded in what had previously been considered a legitimate and safe browser tool. Until mid-February, the extension functioned normally. However, shortly after a change in ownership, a new version was rolled out containing malicious code. Following the update, users began receiving fake “Google Update” and “Security Alert” prompts urging them to take immediate action.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
According to a detailed report by Bleeping Computer, the attack relied on a technique known as “ClickFix.” Once a user clicked on the fraudulent alert, hidden code executed in the background. This enabled attackers to access stored browser logins, cryptocurrency wallet addresses and other sensitive information without the user’s knowledge.
Researchers noted that the compromised update introduced remote code execution capabilities. The malicious functionality reportedly used an image pixel onload trick, allowing attackers to run commands on affected systems remotely. Such methods are increasingly being deployed in sophisticated browser-based attacks where the victim remains unaware of any immediate breach.
Security analysts have described the incident as a textbook example of a supply chain attack. In such cases, a trusted application or extension is acquired by a new owner who then exploits the existing user base. Because Chrome extensions update automatically, the infected version was silently distributed to all users who had the tool installed. Estimates suggest that around 7,000 users were actively using the extension at the time of the breach.
Following public disclosure, Google removed the compromised extension from the Chrome Web Store. The company also appears to have automatically disabled the extension within users’ browsers to prevent further exploitation. While this move may limit ongoing risks, experts caution that users who interacted with the fake alerts during the active attack window could still face potential data exposure.
This is not the first time cryptocurrency users have been targeted through browser extensions. In a previous case, Trust Wallet confirmed that its official Chrome extension had been compromised, resulting in significant digital asset losses. Such repeated incidents highlight how browser add-ons are becoming an increasingly attractive target for cybercriminals seeking financial gain.
Cybersecurity professionals advise users to install only essential extensions and to regularly review permissions granted to them. Any unexpected permission changes, unusual behavior, or prompts urging immediate updates through pop-ups should be treated with caution. Updates should always be performed through official web stores or verified websites rather than by clicking unsolicited alerts.
As digital tools continue to simplify online activity, the risks associated with them are evolving just as rapidly. The transformation of a simple search utility into a credential-stealing platform serves as a reminder that vigilance remains the most effective defense in an interconnected world.
