Malicious Chrome Extension Targets MEXC API Keys via Telegram Exfiltration
Summary
Hide ▲
Show ▼
A malicious Chrome extension named MEXC API Automator, masquerading as a trading automation tool, steals MEXC API keys by creating new keys with withdrawal permissions, hiding the permissions in the UI, and exfiltrating the keys to a Telegram bot. The extension remains active as long as the keys are valid, allowing attackers to control MEXC accounts, execute trades, and perform automated withdrawals. The threat actor leverages the Chrome Web Store for delivery, the MEXC web UI for execution, and Telegram for exfiltration. The extension has 29 downloads and is still available on the Chrome Web Store. The attacker's identity is unknown, but references point to a Telegram bot named SwapSushiBot promoted on TikTok and YouTube.
Timeline
-
13.01.2026 19:22 1 articles · 23h ago
Malicious Chrome Extension Steals MEXC API Keys via Telegram Exfiltration
A malicious Chrome extension named MEXC API Automator, masquerading as a trading automation tool, steals MEXC API keys by creating new keys with withdrawal permissions, hiding the permissions in the UI, and exfiltrating the keys to a Telegram bot. The extension remains active as long as the keys are valid, allowing attackers to control MEXC accounts, execute trades, and perform automated withdrawals. The threat actor leverages the Chrome Web Store for delivery, the MEXC web UI for execution, and Telegram for exfiltration. The extension has 29 downloads and is still available on the Chrome Web Store. The attacker's identity is unknown, but references point to a Telegram bot named SwapSushiBot promoted on TikTok and YouTube.
Show sources
- Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool — thehackernews.com — 13.01.2026 19:22
Information Snippets
-
The malicious extension, MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh), was published on September 1, 2025, by a developer named 'jorjortan142.'
First reported: 13.01.2026 19:221 source, 1 articleShow sources
- Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool — thehackernews.com — 13.01.2026 19:22
-
The extension creates new MEXC API keys, enables withdrawal permissions, hides the permission in the UI, and exfiltrates the keys to a hardcoded Telegram bot.
First reported: 13.01.2026 19:221 source, 1 articleShow sources
- Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool — thehackernews.com — 13.01.2026 19:22
-
The extension injects a content script, script.js, when the user navigates to MEXC's API management page, programmatically creating a new API key and enabling withdrawal capability.
First reported: 13.01.2026 19:221 source, 1 articleShow sources
- Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool — thehackernews.com — 13.01.2026 19:22
-
The script tampers with the page's UI to hide the withdrawal permission from the user and transmits the API keys to a Telegram bot under the threat actor's control.
First reported: 13.01.2026 19:221 source, 1 articleShow sources
- Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool — thehackernews.com — 13.01.2026 19:22
-
The threat remains active as long as the API keys are valid and not revoked, allowing attackers to control the victim's MEXC account even after the extension is uninstalled.
First reported: 13.01.2026 19:221 source, 1 articleShow sources
- Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool — thehackernews.com — 13.01.2026 19:22
-
References point to a Telegram bot named SwapSushiBot, promoted on TikTok and YouTube, which may be linked to the threat actor.
First reported: 13.01.2026 19:221 source, 1 articleShow sources
- Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool — thehackernews.com — 13.01.2026 19:22