A Trojan Version of Mega Chrome Extension Carts Away User’s Monero (XMR) and Ethereum (ETH)

A trojan version of Mega Chrome extension carts away Monero (XMR) and Ethereum (ETH) cryptocurrencies of its users by obtaining wallet details along with other personal information.

Mega Chrome Extension Breach

Recently, Monero notified its users through its official Twitter handle communicating across to the cryptocurrency community of a breach of a browser extension, the mega chrome extension. The tweet states that the extension is compromised as it includes functionality to steal Monero.
After the tweet, numerous tweets followed on the malicious extension and the danger of using the chrome extension that originally helps to reduce the page loading time and serve as a cloud storage service.
While the issue was raging in the cryptocurrency ecosystem, Mega release an official release on the details and the precautions to be taken by the members of the community.

The Malicious Extension

According to the developers of said extension, they stated that on the September 4th at 14:30 UTC, an attacker uploaded a Trojan version of the Mega Chrome Extension, version 3.39.4 to the Google Chrome web store after they were able to gain access to the official account.
Once this version is downloaded, or auto updated it requests for permissions that the original version of the extension do not request for. If the user grants the permission, it obtains information on platforms such as,,, and also access information to,, and HTTP POST requests to other sites, all taken to a server located in Ukraine.
Information obtained from the and is used to access the wallet of the user, and the crypto is carted away.
Notably, four hours later after the attacker perpetrated the act, Mega updated the app with a clean version (3.39.5), and Google removes the malicious app from it store after 5 hours.
The developers noted in its official blog post on the issue that the extension users only get affected if they installed or update the mega chrome extension at the time of the incident. So also if users visit any site or use another extension that sends plain text credentials through a background XMLHttpRequest process while the trojan version was active, such user’s data is already compromised.
Furthermore, the developers apologised to the community of users as investigation are underway on the cause of the breach of its system.
Meanwhile, cryptocurrency hacking has become a trend in the cryptocurrency space through malicious apps, extension and many more. The cryptocurrency ecosystem needs to be wary of its growth, and different groups have been on the race of putting the menace to a stop.