Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
924
4,356
2,168
Germany
Content source
https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html
Cybersecurity researchers have disclosed details of a malicious Google Chrome extension that's capable of stealing API keys associated with MEXC, a centralized cryptocurrency exchange (CEX) available in over 170 countries, while masquerading as a tool to automate trading on the platform.

The extension, named MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh), has 29 downloads and is still available on the Chrome Web Store as of writing. It was first published on September 1, 2025, by a developer named "jorjortan142."

"The extension programmatically creates new MEXC API keys, enables withdrawal permissions, hides that permission in the user interface (UI), and exfiltrates the resulting API key and secret to a hardcoded Telegram bot controlled by the threat actor," Socket security researcher Kirill Boychenko said in an analysis.
Click to expand...
More on:
thehackernews.com

Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool

A malicious Chrome extension posing as a trading tool steals MEXC API keys, enables withdrawals, and sends credentials to attackers via Telegram.
thehackernews.com thehackernews.com
 
  • Like
  • Wow
Reactions: Zero Knowledge, Wrecker4923 and Parkinsond
Brownie2019 said:
More on:
thehackernews.com

Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool

A malicious Chrome extension posing as a trading tool steals MEXC API keys, enables withdrawals, and sends credentials to attackers via Telegram.
thehackernews.com thehackernews.com
Click to expand...
This is a good example of why “trading helper” browser extensions are high-risk: if an extension can act inside an already-authenticated exchange session, it can steal or create long-lived API credentials without ever needing your password or MFA.

What the reports say (and why it matters)
  • The extension is called “MEXC API Automator” (extension ID: pppdfgkfdemgfknfnhpkibbkabhghhfh) and was reported on January 13, 2026 as stealing newly created MEXC API keys and exfiltrating them to an attacker-controlled Telegram bot. ([thehackernews.com](https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html?utm_source=openai))
  • The Chrome Web Store listing shows version 1.0, updated September 1, 2025, offered by “jorjortan142,” and it explicitly claims it creates API keys including withdrawals. ([chromewebstore.google.com](https://chromewebstore.google.com/detail/mexc-api-automator/pppdfgkfdemgfknfnhpkibbkabhghhfh?utm_source=openai))
  • Key point: uninstalling the extension is not enough if API keys were already created/stolen; the attacker can keep using the API keys until they are revoked. ([thehackernews.com](https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html?utm_source=openai))

Immediate actions if anyone installed it (treat keys as compromised)
  • Revoke/delete ALL MEXC API keys immediately (especially any created recently / unknown keys). Create new keys only after cleanup.
  • Ensure any new API keys have minimum permissions (ideally trading only; avoid “withdrawal” permission entirely).
  • Change the MEXC account password and log out other sessions (if the exchange provides a “log out all devices” option).
  • Review account activity: trades, withdrawal history, address book/whitelists, and any security setting changes.
  • If withdrawals are supported: enable withdrawal allowlisting/whitelisting and any additional withdrawal protections offered by MEXC.
  • Remove the extension from Chrome on all synced devices and review other installed extensions for anything exchange/crypto-related that you don’t fully trust.

Browser/device cleanup (low risk, practical)
  • Chrome: remove the extension via chrome://extensions and verify it’s gone after browser restart.
  • Check other Chrome profiles (and other Chromium browsers) on the same machine.
  • Run a full scan with a reputable AV and a second-opinion scanner. (This is still worth doing even if the initial access vector was “only” an extension.)

How to help get it taken down
  • Use the Chrome Web Store listing’s reporting/flagging option (“Flag concern” / report abuse) and report it to Google. ([chromewebstore.google.com](https://chromewebstore.google.com/detail/mexc-api-automator/pppdfgkfdemgfknfnhpkibbkabhghhfh?utm_source=openai))
  • Report to MEXC support as well (include the extension name + ID) so they can look for abuse patterns and advise affected users.
  • If you see posts/videos promoting it, report those too (they’re often the distribution channel for low-download targeted scams).

Sources
 
Recommendation / Remediation
If you or anyone in your organization has installed this extension, immediate action is required to prevent fund theft.

Critical
Revoke API Keys

Log in to MEXC immediately.

Navigate to the API Management page.

Delete ALL existing API keys, even those you believe you created yourself. The attacker may have created keys that look legitimate or modified existing ones.

Remove the Extension
Type chrome://extensions in your address bar.

Locate "MEXC API Automator" or any extension by "jorjortan142".

Click Remove.

Audit Account Activity
Check your withdrawal history for any unauthorized transactions.

Check active login sessions and terminate any unrecognized devices.

Credential Hygiene
While this attack leverages API keys, it is standard procedure to rotate your account password and ensure 2FA is active and secured (preferably via Hardware Key or Authenticator App, not SMS).

References

Source
The Hacker News / Socket Security
 
  • Like
Reactions: Zero Knowledge
The malware developer has this cheeky privacy policy hosted in a Google doc:
Privacy Policy for MEXC API Automator

MEXC API Automator collects API keys generated on the MEXC platform and sends them to a designated Telegram channel for use in a trading bot. No data is stored, processed, or shared with third parties. You are responsible for the security of your Telegram channel. The extension operates solely on the Crypto Trading Platform | Buy Bitcoin, Ethereum, Altcoin, DeFi, Kickstarter | MEXC page.
Click to expand...
 
  • Like
Reactions: Zero Knowledge
You must log in or register to reply here.

You may also like...