ETH Shitcoin Wallet steals data from Chrome users

An Ethereum wallet extension on Chrome has been discovered to steal user data, including login credentials to some popular crypto platforms. Known as Shitcoin Wallet, it keeps track of all the private keys for its users and also injects their computers with malicious code.

The wallet’s irregularities were discovered by Harry Denley, the director of security at MyCrypto, a tool that lets you interact with the blockchain. 

https://twitter.com/sniko_/status/1211841389299982336

Shitcoin Wallet was launched last December 9. The team behind the wallet described it as a secure web wallet that comes with several extensions for different browsers. It allows users to store ETH and other ERC-20 tokens as well. Users can install a browser extension or download a desktop application, if they desire added security and privacy.

However, as Denley revealed, this wasn’t all it was doing. The wallet’s extension secretly sends all the private keys to the wallets created on the platform to a third party website. With these private keys, the third party can access the crypto stored on the wallets freely and at will.

The wallet’s extension also injects malicious JavaScript code once its users visit five popular crypto platforms. These are MyEtherWallet, Binance, IDEX, Switcheo and NeoTracker.io. Once the code executes, it gives the malicious party the ability to access and steal login credentials to these sites. This data is also sent to the same website as the private keys.

The Chrome extension has since been taken down. However, it was already installed over 600 times. A few of the users had already noticed something was amiss, with poor reviews on Chrome and complaints on Shitcoin Wallet’s Telegram page.

“It steals your login data and your tokens do not download it is a scam,” says one disgruntled user. Another user on Telegram stated “It is a virus ransomware encrypting your files and ask for money.”

Shitcoin Wallet has yet to come out and clarify its position on the accusations. While it’s possible that it was a scam all along—the name itself is quite suspicious—it’s also possible that a third party compromised the Chrome extension.