Malicious Chrome Extension Steals MEXC API Keys for Account Takeover

A malicious Chrome extension called MEXC API Automator, identified by Socket's Threat Research Team, was published on the Chrome Web Store by a threat actor using the alias "jorjortan142." This extension, falsely marketed as a tool for automating trading on the MEXC cryptocurrency exchange, creates API keys with withdrawal permissions, hides this permission in the user interface, and exfiltrates the keys to a Telegram bot controlled by the threat actor. Consequently, any MEXC account accessed through an infected browser is vulnerable to unauthorized trades and withdrawals, as the extension grants full programmatic control to the attacker. Despite being flagged as malware, the extension remains available on the Chrome Web Store. MEXC, a large centralized cryptocurrency exchange with a global user base, is a high-value target due to its API's automated trading and withdrawal capabilities. The extension's code suggests a Russian-speaking developer, and it uses the Chrome Web Store to deliver the malware, the MEXC web UI as the execution environment, and Telegram for exfiltration. The threat actor appears to be linked to other suspicious cryptocurrency operations under the branding "SwapSushi," which has been flagged by anti-scam communities. To mitigate such threats, it is recommended to audit browser extensions, remove untrusted ones, manage API keys securely, and monitor for unusual activity.