QuickLens Chrome Extension Compromised to Steal Cryptocurrency and Credentials

First reported

28.02.2026 21:18

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

The QuickLens Chrome extension, initially a legitimate tool for Google Lens searches, was compromised to push malware and steal cryptocurrency and credentials from approximately 7,000 users. The malicious version 5.8, released on February 17, 2026, introduced ClickFix attacks and info-stealing functionality. The extension was removed from the Chrome Web Store by Google after the discovery. The compromised extension stripped browser security headers, communicated with a command-and-control (C2) server, and executed malicious JavaScript scripts on every page load. It targeted various cryptocurrency wallets, login credentials, payment information, and sensitive form data. Users are advised to remove the extension, scan their devices for malware, and reset passwords.

Timeline

28.02.2026 21:18 1 articles · 3h ago

QuickLens Chrome Extension Compromised to Steal Cryptocurrency and Credentials
On February 17, 2026, a malicious version 5.8 of the QuickLens Chrome extension was released, introducing ClickFix attacks and info-stealing functionality. The extension stripped browser security headers, communicated with a C2 server, and executed malicious JavaScript scripts on every page load. It targeted various cryptocurrency wallets, login credentials, payment information, and sensitive form data. Google has removed the extension from the Chrome Web Store and automatically disables it for affected users.
Show sources

QuickLens Chrome extension steals crypto, shows ClickFix attack — www.bleepingcomputer.com — 28.02.2026 21:18
Open in new tab

Information Snippets

QuickLens was initially a legitimate Chrome extension with roughly 7,000 users.
First reported: 28.02.2026 21:18

1 source, 1 article
Show sources
- QuickLens Chrome extension steals crypto, shows ClickFix attack — www.bleepingcomputer.com — 28.02.2026 21:18
Version 5.8 of QuickLens, released on February 17, 2026, contained malicious scripts.
First reported: 28.02.2026 21:18

1 source, 1 article
Show sources
- QuickLens Chrome extension steals crypto, shows ClickFix attack — www.bleepingcomputer.com — 28.02.2026 21:18
The extension stripped browser security headers, including Content-Security-Policy (CSP), X-Frame-Options, and X-XSS-Protection.
First reported: 28.02.2026 21:18

1 source, 1 article
Show sources
- QuickLens Chrome extension steals crypto, shows ClickFix attack — www.bleepingcomputer.com — 28.02.2026 21:18
The extension communicated with a C2 server at api.extensionanalyticspro[.]top.
First reported: 28.02.2026 21:18

1 source, 1 article
Show sources
- QuickLens Chrome extension steals crypto, shows ClickFix attack — www.bleepingcomputer.com — 28.02.2026 21:18
The extension targeted various cryptocurrency wallets, including MetaMask, Phantom, Coinbase Wallet, and others.
First reported: 28.02.2026 21:18

1 source, 1 article
Show sources
- QuickLens Chrome extension steals crypto, shows ClickFix attack — www.bleepingcomputer.com — 28.02.2026 21:18
The extension displayed fake Google Update prompts, leading to the download of a malicious executable named 'googleupdate.exe'.
First reported: 28.02.2026 21:18

1 source, 1 article
Show sources
- QuickLens Chrome extension steals crypto, shows ClickFix attack — www.bleepingcomputer.com — 28.02.2026 21:18
Google has removed QuickLens from the Chrome Web Store and automatically disables it for affected users.
First reported: 28.02.2026 21:18

1 source, 1 article
Show sources
- QuickLens Chrome extension steals crypto, shows ClickFix attack — www.bleepingcomputer.com — 28.02.2026 21:18