- McAfee Flags “Silent Swap,” a Malicious Chromium Extension Disguised as Google Notes That Secretly Hijacks Crypto Transactions
- It acts as a clipboard, swapping copied wallet addresses with attacker-controlled ones, so victims unwittingly send money to criminals
- Researchers advise to always cross-check the entire wallet strings before sending, as attackers can create similar addresses that differ by only a few characters
Researchers have found yet another extension for Chromium-based browsers designed solely to steal people’s hard-earned cryptocurrency.
A report from McAfee has sounded the alarm about Silent Swap, a piece of malware hiding inside a benign Google Notes extension.
Victims who stumble across and download it (most likely through phishing, social engineering, or shady forums and websites) will get an extension that on the surface works as intended. It shows a small window where the victim can write a note and save it. They can color code the notes and search through saved ones. However, this was only done to hide the program’s true intentions, which is to steal cryptocurrency.
Hijacking the clipboard
Silent Swap works like a typical clipboard. It monitors the clipboard for strings that look like a crypto wallet – seemingly random strings of 26 to 42 alphanumeric characters.
When it detects one, it replaces it with another belonging to the attacker, so when the victim inserts the address into the wallet to send the money, they actually send it to the address belonging to the attackers.
This works because crypto wallets are nearly impossible to remember and too risky to write from a piece of paper or other document, forcing users to rely on copy and paste.
Once the victim sends the money, it is almost certainly gone irretrievably. Only if the funds are sent from a centralized exchange (such as Coinbase) and if the victim detects the attack quickly enough, they can ask the exchange’s support to freeze the transaction. In all other cases, once the money is sent, it is gone.
The best way to defend against these attacks is to cross-reference the strings before pressing send. Some people would check only the first and last few characters, but security researchers do not recommend this because some clipboards can generate addresses that differ by only a few characters.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



