Cybersecurity researchers at McAfee Labs have identified an active malware campaign named Silent Swap that targets cryptocurrency users by secretly replacing wallet addresses during digital asset transactions. The campaign relies on a malicious browser extension disguised as a legitimate Google Notes utility, allowing attackers to redirect cryptocurrency transfers to wallets under their control without immediately alerting victims. According to McAfee Labs, the operation is distributed through unsigned installers developed in both .NET and Golang that silently install the fake extension across Chromium based browsers. Once active, the malware monitors clipboard activity and replaces copied cryptocurrency wallet addresses before users complete transactions. Since blockchain transactions are generally irreversible, victims who unknowingly send funds to substituted wallet addresses face permanent financial losses. Researchers also found similarities between Silent Swap and the previously identified CountLoader campaign, indicating that the same threat actor may be responsible for both operations.
The attack begins with an unsigned installer known as BaseZipInstaller, which downloads a ZIP archive containing the malicious browser extension. The installer scans the infected device for Chromium based browsers including Google Chrome, Microsoft Edge, Brave, and Vivaldi. For every detected browser profile, it forcibly closes the browser before modifying protected Secure Preferences and Preferences files to install the extension without using the official browser extension stores. The fake Google Notes extension then requests permissions to access the system clipboard, browsing history, and all website content, giving it broad visibility into user activity. Its primary function is to monitor copied cryptocurrency wallet addresses and silently replace them with attacker controlled alternatives before a transaction is completed. McAfee said the campaign also employs EtherHiding, a technique that uses blockchain technology as a dead drop resolver to retrieve updated command and control server information. Rather than distributing new malware whenever infrastructure changes, the attackers simply update information stored within a blockchain smart contract, allowing infected systems to automatically connect to new servers while making disruption efforts more difficult.
Researchers noted that the campaign uses multiple persistence and evasion techniques designed to avoid detection while ensuring the malicious extension remains active. By recalculating and updating browser security verification values after modifying protected settings files, the malware convinces Chromium based browsers that the unauthorized extension was installed legitimately. This enables the extension to bypass normal web store installation requirements and continue loading automatically every time the browser starts. On certain browsers including Brave and Opera, the malware also attempts to enable developer mode programmatically, while the installer deletes itself after execution to reduce evidence of the initial compromise. Another notable capability involves dynamic wallet substitution, where intercepted wallet addresses are transmitted to an attacker controlled backend that returns a unique replacement address mapped specifically to the victim’s original wallet. If communication with the backend server fails, the malware automatically switches to a predefined wallet address embedded within the code, allowing malicious activity to continue without interruption. McAfee found that Bitcoin, Ethereum, Bitcoin Cash, Ripple, and Dash wallet addresses are individually mapped to unique attacker controlled wallets, whereas all intercepted Solana addresses resolve to a single destination wallet that researchers observed holding a balance of approximately 1,902.45 dollars at the time of analysis. Telemetry collected by McAfee indicates that infections are spread across multiple countries, with the highest concentration of victims identified in India, followed by the United States, Brazil, Indonesia, and Spain.
The researchers stated that Silent Swap reflects an evolution in cryptocurrency focused malware by replacing static attacker infrastructure with server side wallet mapping and blockchain based command and control mechanisms that are more difficult to disrupt. Separately, security researchers at Socket disclosed two malicious browser extensions named VPN Go: Free VPN that were available through both the Chrome Web Store and Mozilla Firefox Add ons marketplace. Although presented as free virtual private network services, both extensions contained hidden clipboard monitoring capabilities that continuously collected copied information and transmitted it to attacker controlled infrastructure. Researchers said the malicious behavior extended beyond cryptocurrency wallet addresses and enabled the theft of passwords, authentication codes, API keys, OAuth tokens, recovery seed phrases, and other sensitive information copied by users. The findings highlight the increasing use of browser extensions as a delivery method for credential theft and cryptocurrency fraud, reinforcing the importance of verifying extension publishers, reviewing requested permissions, and installing browser extensions only from trusted and well established sources.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.





