Silent Swap Uses Fake Chrome Extension to Steal Crypto  | eSecurity Planet
Threats
SHARE
Facebook X Pinterest WhatsApp

Silent Swap Uses Fake Chrome Extension to Steal Crypto 

Silent Swap uses a fake Chrome extension to silently replace cryptocurrency wallet addresses and steal digital assets.

Written By
Ken Underhill
Ken Underhill
Jun 30, 2026
4 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

McAfee researchers have uncovered a cryptocurrency theft campaign that uses malicious browser extensions to steal digital assets. 

The Silent Swap campaign disguises itself as a Google Notes browser extension that silently replaces cryptocurrency wallet addresses during transactions, redirecting funds to attackers.  

Key Takeaways about Silent Swap

  • Silent Swap disguises itself as a fake Google Notes browser extension that silently replaces cryptocurrency wallet addresses during transactions.
  • The malware bypasses Chromium security protections and uses blockchain-based command-and-control infrastructure (EtherHiding) to make detection and takedowns more difficult.
  • The malicious extension requests excessive permissions, including access to all websites, clipboard data, and browsing history.
  • Because cryptocurrency transactions are generally irreversible, victims may permanently lose funds after a single compromised transaction.
  • Installing extensions only from official browser stores, reviewing extension permissions, and verifying wallet addresses before sending cryptocurrency can help reduce the risk of compromise.

How the Silent Swap Browser Extension Steals Cryptocurrency 

According to McAfee researchers, Silent Swap is delivered through unsigned installers written in both .NET and Golang. 

Once executed, the installer secretly deploys a malicious Chromium extension that appears to be a simple note-taking application.

Although the extension functions as a basic notes utility, its malicious capabilities operate behind the scenes through background scripts. 

Rather than displaying suspicious behavior to the user, it quietly monitors clipboard activity and cryptocurrency transactions.

The malware activates when users copy a cryptocurrency wallet address. 

Before the address is pasted into a transaction, the extension replaces it with an attacker-controlled wallet. 

Because blockchain transactions are generally irreversible, victims may unknowingly transfer funds directly to cybercriminals.

Advertisement

How Silent Swap Evades Detection 

McAfee researchers identified several techniques that distinguish this campaign from traditional cryptocurrency clippers.

One notable capability involves manipulating Chromium browser security mechanisms. 

Instead of relying on standard browser extension installation methods, the installer modifies protected browser preference files and recalculates integrity verification values. 

This allows the malicious extension to appear as though it was legitimately installed.

The researchers noted that newer versions of Chrome and Microsoft Edge require users to enable Developer Mode before the extension can load, providing an additional layer of protection. 

However, attackers may attempt to convince victims to enable this setting through social engineering, while users running outdated Chromium-based browsers remain at greater risk.

Another innovation is the campaign’s use of blockchain technology to locate its command-and-control (C2) infrastructure. 

Rather than embedding a hardcoded C2 domain inside the malware, the extension queries a public blockchain smart contract to retrieve the active server address at runtime.

This technique, called EtherHiding, allows attackers to rotate their infrastructure by updating blockchain data instead of distributing new malware, making takedown efforts and network-based detection more challenging.

Why the Silent Swap Browser Extension Requests Excessive Permissions 

Although the extension presents itself as Google Notes, its requested browser permissions far exceed what a note-taking application should require.

Researchers observed that the extension requested access to all websites visited by the user, read and write access to the clipboard, and permission to access the user’s browsing history. 

These permissions enable the malware to monitor copied wallet addresses across virtually every website and silently substitute attacker-controlled addresses during cryptocurrency transactions.

Silent Swap Uses Persistence and Stealth to Avoid Detection 

The researchers also detailed several persistence and evasion mechanisms designed to keep the malware active while minimizing detection.

Instead of creating traditional Windows persistence mechanisms such as registry Run keys or scheduled tasks, the malware embeds itself directly into Chromium’s extension configuration so it automatically loads whenever the browser starts.

The installer also deletes itself after execution, reducing forensic evidence on disk. 

Meanwhile, the visible extension continues to appear as a harmless productivity tool, lowering the likelihood that users will investigate its behavior.

McAfee’s analysis also found the backend dynamically assigns replacement wallet addresses. 

For several major cryptocurrencies — including Bitcoin, Ethereum, Bitcoin Cash, Ripple, and Dash — the malware consistently maps each victim’s original wallet address to a corresponding attacker-controlled address maintained on the server.

However, Solana addresses were redirected to a single attacker wallet during testing.

Telemetry collected by McAfee indicates infections are globally distributed, with India experiencing the highest observed concentration. 

Researchers believe the campaign targets cryptocurrency users opportunistically rather than focusing on a specific geographic region.

Advertisement

How to Protect Yourself from Silent Swap Crypto Malware 

McAfee recommends several steps to reduce exposure to browser-based cryptocurrency clippers:

  • Verify the first and last several characters of cryptocurrency wallet addresses before approving transactions, preferably using a separate device.
  • Install browser extensions only from official browser marketplaces.
  • Review extension permissions and remove any that request unnecessary access.
  • Avoid running unsigned or cracked software downloaded from untrusted sources.
  • Keep browsers and endpoint solutions fully updated.

Silent Swap demonstrates how attackers are combining trusted software, browser manipulation, and blockchain infrastructure to make cryptocurrency theft harder to detect. 
Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

facebook
linkedin
x

Company

About us Contact us Advertise with us

Categories

Best Products Resources Networks Cloud Threats Trends Endpoint Applications Compliance

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information