Cybersecurity analysts have uncovered a dangerous Google Chrome extension designed to steal API credentials from users of MEXC, a centralized cryptocurrency exchange operating in more than 170 countries. The extension disguises itself as a legitimate automated trading utility, tricking users into granting access that ultimately compromises their accounts.
The extension, identified as MEXC API Automator with the ID pppdfgkfdemgfknfnhpkibbkabhghhfh, has recorded at least 29 installations and remains available on the Chrome Web Store at the time of disclosure. It was initially published on September 1, 2025, under the developer name “jorjortan142.”
How the Extension Operates
Security researcher Kirill Boychenko from Socket revealed that the extension secretly generates new MEXC API keys within the user’s authenticated browser session. During this process, it enables withdrawal permissions while deliberately hiding this capability from the visible user interface.
Once the API key and secret are created, the extension immediately extracts the credentials and sends them to a Telegram bot controlled by the attacker. This data exfiltration is carried out through an HTTPS POST request to a hardcoded Telegram endpoint.
The Chrome Web Store description claims the tool simplifies the process of connecting trading bots to MEXC by automatically generating API keys with the required permissions. However, this functionality is abused to grant full account control to threat actors without the victim’s knowledge.
Technical Execution Details
The malicious behavior is triggered when the user accesses MEXC’s API management page. The extension injects a single content script named script.js into the active session. It specifically monitors URLs containing the path “/user/openapi,” which corresponds to the API configuration interface.
While enabling withdrawal rights in the background, the extension alters the on screen indicators to make it appear as if withdrawals are disabled. This visual manipulation prevents users from realizing that full access has been granted.
As long as the stolen API keys remain valid, attackers can execute trades, automate withdrawals, and drain funds from connected wallets. Removing the extension does not immediately mitigate the threat, as previously issued API keys continue to function until revoked manually.
Broader Security Implications
Researchers warn that this attack model represents a growing risk across financial platforms. By abusing trusted browser extensions and authenticated web sessions, attackers can bypass password theft and traditional authentication defenses entirely.
According to Socket, this method can be adapted to other cryptocurrency exchanges, DeFi platforms, broker dashboards, and any web based service that issues long lived API tokens within an active session. Future versions of similar threats may include stronger obfuscation techniques, broader permission requests, and support for multiple platforms within a single extension.
Although the identity of the threat actor remains unconfirmed, the developer name “jorjortan142” is linked to an X account promoting a Telegram bot called SwapSushiBot. This bot has also been advertised on TikTok and YouTube, with the associated YouTube channel created on August 17, 2025.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
