Full Report
Cybersecurity researchers have disclosed details of a malicious Google Chrome extension that's capable of stealing API keys associated with MEXC, a centralized cryptocurrency exchange (CEX) available in over 170 countries, while masquerading as a tool to automate trading on the platform. The extension, named MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh), has 29 downloads and is still
Analysis Summary
# Tool/Technique: MEXC API Automator
## Overview
A malicious Google Chrome extension designed to steal API keys (including sensitive withdrawal permissions) associated with the MEXC centralized cryptocurrency exchange (CEX) by masquerading as a legitimate trading automation tool.
## Technical Details
- Type: Malware (Browser Extension)
- Platform: Google Chrome (Web Browser)
- Capabilities: Steals API keys, enables withdrawal permissions, hides enablement from the user interface, exfiltrates credentials via Telegram bot.
- First Seen: Published on September 1, 2025.
## MITRE ATT&CK Mapping
The actions are primarily focused on credential access and exfiltration within the context of a legitimate software session.
- **TA0001 - Credential Access**
- **T1549.008 - Credentials from Web Browsers (Credential Dumping)** (Though it's accessing keys upon generation, the act of programmatically extracting data from the running web session is related.)
- **T1056.001 - Input Capture: Keylogging** (The script interacts directly with the authenticated session's processes.)
- **TA0010 - Exfiltration**
- **T1041 - Exfiltration Over C2 Channel**
- **T1041.001 - Application Layer Protocol** (Using HTTPS POST request over the internet)
## Functionality
### Core Capabilities
- **Masquerading:** Poses as the "MEXC API Automator" extension to trick users into installation.
- **Targeted Website Interaction:** Injects a content script (`script.js`) only when the user navigates to the MEXC API key management page (`/user/openapi`) within an already authenticated session.
- **API Key Generation:** Programmatically creates new API keys for the MEXC account.
- **Permission Escalation:** Ensures that **withdrawal capability** is enabled for the newly created API key.
### Advanced Features
- **UI Tampering:** Modifies the browser's Document Object Model (DOM) to visually mislead the user into believing the withdrawal permission is *disabled* when it is, in fact, enabled.
- **Credential Exfiltration:** Extracts the generated Access Key and Secret Key and transmits them via an HTTPS POST request to a hardcoded Telegram bot endpoint controlled by the threat actor.
- **Persistence via Key Lifespan:** The compromise remains effective as long as the stolen API keys remain valid and unrevoked, even if the user uninstalls the extension.
## Indicators of Compromise
- File Hashes: Not provided in the text.
- File Names: `script.js` (Content script)
- Extension ID: `pppdfgkfdemgfknfnhpkibbkabhghhfh`
- Registry Keys: Not applicable (Browser Extension).
- Network Indicators: Exfiltration occurs via HTTPS POST request to a hardcoded Telegram bot. (Specific endpoint/domain is not provided/defanged).
- Behavioral Indicators: Script injection triggered by URL matching `/user/openapi`; programmatic execution of API key creation workflow on the MEXC site; communication to a Telegram destination.
## Associated Threat Actors
The developer is associated with the name "jorjortan142," which links to the X handle @jorjortan142 and the Telegram bot named **SwapSushiBot**. Connections also exist to associated social media promotion on TikTok and YouTube.
## Detection Methods
- Signature-based detection: Identification of the specific Extension ID (`pppdfgkfdemgfknfnhpkibbkabhghhfh`) in the Chrome Web Store/browser profile.
- Behavioral detection: Monitoring for content scripts injecting into authenticated cryptocurrency exchange management pages, specifically looking for programmatic interaction with the API key generation workflow, and outbound POST requests to known Telegram infrastructure originating from the browser context.
- YARA rules: Not provided.
## Mitigation Strategies
- **Principle of Least Privilege:** Users should avoid granting withdrawal permissions to API keys unless absolutely necessary, and restrict permissions based on required functionality (e.g., only 'Trade' permissions).
- **Browser Hygiene:** Regularly review and audit installed browser extensions, especially those granting access to sensitive financial websites.
- **API Management:** Immediately revoke any unexpected or newly created API keys found on the MEXC account.
- **Session Awareness:** Be exceptionally cautious when generating sensitive credentials like API keys while logged into high-value services in a browser containing extensions.
## Related Tools/Techniques
This technique is described as a "playbook" adaptable to other exchanges, DeFi dashboards, or any web console that issues tokens/keys within an authenticated web session. Future variants are anticipated to use heavier obfuscation and request broader browser permissions.