Ethical Hacking News
The Silent Swap Crypto Clipper campaign demonstrates an intricate example of how modern cryptocurrency theft methods are evolving with advanced tactics, tools, and techniques. This sophisticated operation is leveraging blockchain technology for its malicious activities while demonstrating a high degree of sophistication in its approach to evade detection and execute successful attacks on victims worldwide.
The Silent Swap campaign is a cryptocurrency theft campaign using a stealthy browser extension.The extension, masquerading as 'Google Notes', is delivered through unsigned installers that scan for Chromium-based browsers and inject the malicious extension.The primary goal of the extension is to intercept and manipulate wallet addresses copied into the system clipboard.The attackers use an advanced technique called EtherHiding to utilize the blockchain as a dead drop resolver for retrieving C2 server details.The campaign uses social engineering tactics, including phishing email attachments or game cracks, to distribute the malicious file.The extension bypasses browser security verification data by recalculating and updating security values after tampering with protected files.Persistence is established through registering the extension in the browser's Secure Preferences file so that it loads on subsequent browser launches without needing an additional mechanism.
In recent days, cybersecurity researchers at McAfee Labs have been monitoring an active browser extension campaign designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction. The cryptographically-named "Silent Swap" campaign has garnered significant attention due to its sophisticated and layered approach to cryptocurrency theft.
According to the report, the Silent Swap campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that deploy a malicious Chromium extension masquerading as a benign 'Google Notes' utility. These installers are designed to retrieve a ZIP archive, which serves as the foundation for the malicious browser extension by scanning the system for Chromium-based browsers.
For each detected profile in those browsers, the malicious installer forcibly terminates the browser process and injects the extension by modifying the Secure Preferences and Preferences files. The primary goal of this malicious extension is to act as a clipper capable of intercepting and manipulating wallet addresses copied into the system clipboard with the aim of rerouting funds to an attacker-controlled wallet.
To realize its goals, the bogus Google Notes extension requests users to grant it permissions to access the clipboard, all URLs, and the browsing history. Given that most transactions on the blockchain are irreversible, an address swap can result in permanent financial loss. The malicious campaign overlaps with a prior CountLoader campaign delivered by the same threat actor, indicating evidence of a coordinated and well-organized operation.
McAfee Labs stated that the initial access mechanism for this campaign involves victims running a malicious file that launches CountLoader, which then fetches and installs additional payloads – in this case, a rogue browser extension. While researchers did not conclusively identify the primary distribution method behind this campaign, evidence suggests it may involve phishing email attachments, game cracks, or similar social engineering tactics.
What makes Silent Swap stand apart is its use of an advanced technique called EtherHiding to utilize the blockchain as a dead drop resolver for retrieving active command-and-control (C2) server details. This allows attackers to trivially update a smart contract value to point to new domains instead of redeploying malware, significantly enhancing their ability to adapt and evade detection.
The second aspect revolves around the covert installation of the browser extension on Chromium-based browsers – including Google Chrome, Microsoft Edge, Brave, and Vivaldi – by modifying protected browser settings files. This attack relies on enabling the developer mode for newer versions of these browsers through social engineering tactics.
In normal circumstances, these browsers store security verification data alongside sensitive settings to detect unauthorized changes. However, the malicious extension recalculates and updates these security values after tampering with the files, tricking the browser into believing the malicious extension was installed legitimately. This allows the extension to bypass the normal extension web store installation process and load silently without user approval.
Characterized as a deliberate and layered campaign by McAfee Labs, persistence is established through registering the extension in the browser's Secure Preferences file so that it loads on subsequent browser launches without needing an additional mechanism. Additionally, dynamic wallet substitution allows for fetching replacement addresses corresponding to victim addresses by sending intercepted addresses to attacker-controlled backend servers.
For every wallet address matching patterns associated with Bitcoin (BTC), Ethereum, Bitcoin Cash, Ripple, and Dash, a unique attacker-controlled address is mapped on the server-side. In contrast, all submitted Solana addresses resolve to a single attacker address – currently holding $1,902.45. The use of a per-victim mapping system allows attackers to update smart contract values without redeploying malware, enhancing their ability to adapt and evade detection.
McAfee Labs researchers found that infections from the Silent Swap campaign are globally distributed but have shown a higher concentration in countries such as India. Countries impacted by this campaign include the U.S., Brazil, Indonesia, and Spain.
This campaign represents an illustrative example of how consumer-targeted cryptocurrency theft is evolving, with attackers utilizing techniques like blockchain-resolved lookup domains that can be rotated with single transactions to evade detection and maintain persistence in a wide array of compromised systems worldwide.
Furthermore, the discovery of this sophisticated campaign underscores the urgent need for heightened awareness and vigilance among users of cryptocurrencies as they continue to expand their online presence and exposure to various cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Silent-Swap-Crypto-Clipper-A-Sophisticated-Campaign-of-Cryptocurrency-Theft-ehn.shtml
https://thehackernews.com/2026/06/silent-swap-crypto-clipper-uses-fake.html
Published: Wed Jul 1 12:26:33 2026 by llama3.2 3B Q4_K_M