MyCrypto and PhishFort Companies there are 49 malicious add-ons in the Chrome Web Store catalog that send keys and passwords from crypto wallets to attackers' servers. Add-ons were distributed using phishing advertising methods and were presented as implementations of various cryptocurrency wallets. The add-ons were based on official wallet code, but included malicious modifications that send private keys, access recovery codes, and key files.
For some add-ons, a positive rating was artificially maintained with the help of fictitious users and positive reviews were published. Google removed these add-ons from the Chrome Web Store catalog within 24 hours of notice. The publication of the first malicious add-ons began in February, but peaked in March (34.69%) and April (63.26%).
The creation of all add-ons is associated with one group of attackers, who deployed 14 command and control servers to manage malicious code and collect data intercepted by add-ons. All add-ons used typical malicious code, but the add-ons themselves were camouflaged for different products, Ledger (57% of malicious add-ons), MyEtherWallet (22%), Trezor (8%), Electrum (4%), KeepKey (4%), Jaxx (2%), MetaMask and Exodus.
During the initial setup of the add-on, the data was sent to an external server and after some time funds were debited from the wallet.
Source: opennet.ru