Unraveling How a Malicious Extension Stole a Million Dollars

10 min readJun 4, 2024



On June 3, 2024, Twitter user @CryptoNakamao shared a post detailing how he lost $1 million due to a malicious Chrome extension named Aggr. This incident has sparked significant concern within the crypto community about the risks associated with browser extensions and the security of their digital assets.

In response, on May 31, our security team published an in-depth analysis titled “Wolf in Sheep’s Clothing | Fake Chrome Extension Theft Analysis” where wemeticulously examined the malicious behaviors of the Aggr extension.

To address the widespread lack of knowledge about browser extensions, SlowMist’s Chief Information Security Officer, 23pds, is here to provide a detailed Q&A in this article. The six questions and answers aim to explain the basic concepts and potential risks of extensions, offering advice on how to mitigate these risks. The goal is to help both individual users and trading platforms enhance the security of their accounts and assets.



1. What is a Chrome Extension?

A Chrome extension is a plugin designed for the Google Chrome browser, enabling it to extend its functionality and behavior. These extensions can customize the user’s browsing experience, add new features or content, or interact with websites. Chrome extensions are typically built using HTML, CSS, JavaScript, and other web technologies.

The structure of a Chrome extension usually includes the following components:

- manifest.json: The configuration file of the extension, defining basic information such as name, version, and permissions.

- Background Scripts: Run in the background of the browser, handling events and long-term tasks.

- Content Scripts: Run in the context of web pages, allowing direct interaction with the web pages.

- User Interface (UI): Elements like browser toolbar buttons, pop-up windows, and options pages.

2. What are the functions of Chrome extensions?

- Ad Blocking: Extensions can block and remove ads on web pages, improving load speed and user experience. Examples include AdBlock and uBlock Origin.

- Privacy and Security: Some extensions enhance user privacy and security, such as preventing tracking, encrypting communications, and managing passwords. Examples include Privacy Badger and LastPass.

- Productivity Tools: Extensions can help users boost productivity by managing tasks, taking notes, and tracking time. Examples include Todoist and Evernote Web Clipper.

- Developer Tools: Provide debugging and development tools for web developers, such as inspecting web page structure, debugging code, and analyzing network requests. Examples include React Developer Tools and Postman.

- Social Media and Communication: Integrate social media and communication tools, allowing users to handle social media notifications and messages while browsing. Examples include Grammarly and Facebook Messenger.

- Web Customization: Users can customize the appearance and behavior of web pages through extensions, such as changing themes, rearranging page elements, and adding extra features. Examples include Stylish and Tampermonkey.

- Task Automation: Help users automate repetitive tasks, such as auto-filling forms and batch downloading files. Examples include iMacros and DownThemAll.

- Language Translation: Some extensions provide real-time translation of web content, helping users understand web pages in different languages. Examples include Google Translate.

- Cryptocurrency Assistance: Extensions assist users in cryptocurrency transactions, such as MetaMask.

The flexibility and diversity of Chrome extensions make them applicable to almost any browsing scenario, helping users complete various tasks more efficiently.

3. What permissions do Chrome extensions have after installation?

After installation, Chrome extensions may request a range of permissions to perform specific functions. These permissions are declared in the extension’s manifest.json file and prompted for user confirmation during installation. Common permissions include:

- <all_urls>: Allows the extension to access the content of all websites, enabling it to read and modify data on any site.

- tabs: Allows the extension to access information about browser tabs, including retrieving, creating, and closing tabs.

- activeTab: Temporarily grants the extension access to the currently active tab, typically used when the user clicks the extension button.

- storage: Allows the extension to use Chrome’s storage API to store and retrieve data, such as extension settings and user data.

- cookies: Allows the extension to access and modify browser cookies.

- webRequest and webRequestBlocking: Allows the extension to intercept and modify network requests, commonly used by ad blockers and privacy protection extensions.

- bookmarks: Allows the extension to access and modify the browser’s bookmarks.

- history: Allows the extension to access and modify the browser’s history.

- notifications: Allows the extension to display desktop notifications.

- contextMenus: Allows the extension to add custom menu items to the browser’s context menu (right-click menu).

- geolocation: Allows the extension to access the user’s geographical location.

- clipboardRead and clipboardWrite: Allows the extension to read and write clipboard content.

- downloads: Allows the extension to manage downloads, including starting, pausing, and canceling downloads.

- management: Allows the extension to manage other extensions and applications in the browser.

- background: Allows the extension to run long-term tasks in the background.

- webNavigation: Allows the extension to monitor and modify browser navigation behavior.

These permissions enable Chrome extensions to perform many powerful and diverse functions, but they also mean that extensions can potentially access sensitive user data, such as cookies and authentication information.

4. How can malicious Chrome extensions steal user permissions?

Malicious Chrome extensions can exploit the permissions they request to steal user credentials and other sensitive information because these extensions can directly access and manipulate the user’s browsing environment and data. Specific methods include:

- Extensive Permission Access: Malicious extensions often request a large number of permissions, such as accessing all websites (<all_urls>), reading and modifying browser tabs (tabs), and accessing browser storage (storage). These permissions allow malicious extensions to extensively access the user’s browsing activities and data.

- Manipulating Network Requests: Malicious extensions can use webRequest and webRequestBlocking permissions to intercept and modify network requests, thereby stealing user credentials and sensitive data. For example, they can intercept form data when the user logs into a website and capture usernames and passwords.

- Reading and Writing Page Content: Through content scripts, malicious extensions can embed code into web pages to read and modify page content. This means they can steal any data the user enters on web pages, such as form information and search queries.

- Accessing Browser Storage: Malicious extensions can use storage permissions to access and store local user data, including browser storage that may contain sensitive information (such as LocalStorage and IndexedDB).

- Manipulating Clipboard: Using clipboardRead and clipboardWrite permissions, malicious extensions can read and write clipboard content, thereby stealing or tampering with information the user copies and pastes.

- Masquerading as Legitimate Sites: Malicious extensions can modify browser content or redirect users to web pages, posing as legitimate sites to trick users into entering sensitive information.

- Running Long-Term in the Background: Extensions with background permissions can continuously run in the background, even when the user is not actively using them, allowing them to monitor user activities for long periods and collect extensive data.

- Manipulating Downloads: Using downloads permissions, malicious extensions can download and execute malicious files, further compromising the user’s system security.

5. Why did the victim of this malicious extension lose permissions and funds?

The victim lost permissions and funds because the malicious Aggr extension had access to the crucial permissions we discussed earlier. Here is a snippet of the permissions from the manifest.json file of this malicious plugin:

  • cookies
  • tabs
  • <all_urls>
  • storage

6. What can a malicious Chrome extension do after stealing a user’s cookies?

- Access Accounts: The malicious extension can use the stolen cookies to simulate a user login to trading platform accounts, accessing account information such as balances and transaction history.

- Execute Transactions: The stolen cookies might allow the malicious extension to execute transactions without user consent, buying or selling cryptocurrencies, or even transferring assets to other accounts.

- Withdraw Funds: If the cookies contain session information and authentication tokens, the malicious extension might bypass two-factor authentication (2FA) and directly initiate fund withdrawals, transferring the user’s cryptocurrencies to the attacker’s wallet.

- Access Sensitive Information: The malicious extension can access and collect sensitive information stored in the user’s trading platform account, such as identification documents and addresses, potentially leading to further identity theft or fraud.

- Modify Account Settings: The malicious extension can change account settings, such as linked email addresses and phone numbers, to gain further control over the account and steal more information.

- Impersonate the User for Social Engineering Attacks: The malicious extension can use the user’s account to carry out social engineering attacks, such as sending fraudulent messages to the user’s contacts to trick them into performing unsafe actions or providing more sensitive information.

Preventive Measures

After reading this, users might wonder how to protect themselves from such risks. Some might suggest extreme measures like disconnecting from the internet, using a separate computer, or avoiding web-based platforms altogether. However, there are more practical ways to prevent such risks:

For Individual Users:

- Enhance Personal Security Awareness: The first step is to enhance personal security awareness and always maintain a cautious attitude.

- Install Extensions from Trusted Sources Only: Install extensions from the Chrome Web Store or other trusted sources, read user reviews and permissions requests, and avoid granting unnecessary access permissions.

- Use a Secure Browsing Environment: Avoid installing extensions from unknown sources, regularly review and remove unnecessary extensions, and use different browsers to separate browsing with extensions from financial transactions.

- Regularly Check Account Activity: Regularly check account login activities and transaction records, and take immediate action if any suspicious behavior is detected.

- Remember to Log Out: Always log out after completing operations on web platforms. Many people leave their accounts logged in for convenience, but this habit poses a security risk.

- Use a Hardware Wallet: For large assets, use a hardware wallet for storage to enhance security.

- Browser Settings and Security Tools: Use secure browser settings and extensions (such as ad blockers and privacy protection tools) to reduce the risk of malicious extensions.

- Use Security Software: Install and use security software to detect and prevent malicious extensions and other malware.

For Exchanges:

- Enforce Two-Factor Authentication (2FA):

- Global 2FA Activation: Require all users to enable two-factor authentication (2FA) for logging in and performing important operations (such as trading, placing orders, and withdrawing funds) to ensure that even if cookies are stolen, attackers cannot easily access the account.

- Multiple Authentication Methods: Support multiple two-factor authentication methods, such as SMS, email, Google Authenticator, and hardware tokens.

- Session Management and Security:

- Device Management: Provide users with the ability to view and manage logged-in devices, allowing them to log out unknown devices at any time.

- Session Timeout: Implement session timeout policies to automatically log out inactive sessions, reducing the risk of session hijacking.

- IP Address and Geolocation Monitoring: Detect and alert users of login attempts from unusual IP addresses or geolocations, and block these logins if necessary.

- Enhance Account Security Settings:

- Security Notifications: Send instant notifications to users regarding account logins, password changes, fund withdrawals, etc., through email or SMS to alert them of suspicious activity.

- Account Freeze Option: Provide an option for users to quickly freeze their accounts in emergencies to control the extent of damage.

- Strengthen Monitoring and Risk Control Systems:

- Anomaly Detection: Use machine learning and big data analysis to monitor user behavior, identify abnormal trading patterns and account activities, and promptly intervene with risk control measures.

- Risk Control Alerts: Implement alerts and restrictions for suspicious activities, such as frequent account information changes and failed login attempts.

- Provide Security Education and Tools for Users:

- Security Education: Use official social media accounts, emails, and in-platform notifications to educate users on security best practices and the risks associated with browser extensions.

- Security Tools: Offer official browser plugins or extensions to help users enhance account security and detect potential threats.


Frankly speaking, from a technical standpoint, implementing all the risk control measures mentioned above may not always be the best approach. There needs to be a balance between security and business needs. If security measures are too stringent, user experience may suffer. For instance, requiring two-factor authentication (2FA) for every transaction can be inconvenient for users who prefer quick transactions. Some users might even disable 2FA for convenience, which in turn makes it easier for hackers to exploit stolen cookies for malicious activities, such as unauthorized trades.

Therefore, the approach to risk control should vary based on the platform and its user base. The balance between security and user experience will differ for each platform. It is hoped that platforms will find a way to protect user accounts and assets while maintaining a smooth user experience.

Safety first, always. The SlowMist security team advises users to take a moment to think before installing software, downloading plugins, or engaging with any new applications. Consider whether the action is appropriate and safe, and then proceed. This can help prevent incidents and ensure a safer experience.

For more security knowledge, refer to SlowMist’s “Blockchain Dark Forest Self-Guard Handbook

As always, stay vigilant!

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub




SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.