The ‘Shitcoin Wallet’ Extension is Stealing Cryptocoin Wallet Credentials

• Shitcoin Wallet is apparently loading obfuscated credential-stealing JavaScript code.
• This happens when the user is visiting 77 websites, while the code activates on five of them.
• The app could have been compromised by another malicious entity, and the developers could be unaware.

A Google Chrome extension named ‘Shitcoin Wallet’ is apparently injecting credential-stealing JavaScript snippets when the user is visiting cryptocurrency websites or is trying to access their wallets. The discovery of the fact comes from the Director of Security of “MyCrypto”, Harry Denley, who warns people not to use Shitcoin. The researcher claims that the extension is sending the private keys of user wallets to “erc20wallet[.]tk”, and activates data-exfiltrating JavaScript code when visiting one of the following five websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange.

The particular extension was launched only last month, touting advanced wallet management features for users who deal with ICOs (initial coin offerings), Ether, and Ethereum ERC20. Besides management, Shitcoin also supports transactions of all kinds. When reading the section about what makes Shitcoin so special in this admittedly crowded market, the potential user is getting confused with vague promises about airdropped tokens. The extension is still available on the Chrome Extension store, but the visitor will get an Ethereum Phishing Detection on it, which will definitely save more people from falling victims. Already, there have been at least six hundred installations of Shitcoin, so the malicious actors have seen some success already.

Source: Chrome Extensions

Whether or not the extension’s developers are responsible for this behavior remains unclear right now, as they haven’t provided an official statement on the matter. According to user reports, the desktop version of the wallet app is flagged as a virus by some AV solutions, although many don’t recognize it for what it is. So, it could be that some download channels have been compromised by hackers, or maybe the original developers are indeed involved in this mischief. Whatever the case, Shitcoin Wallet is not safe to use, and if you have entered your credentials on cryptocurrency websites while using it you should reset them immediately if possible.

If you are looking for a safe and secure wallet solution to keep your crypto coins away from the risks of hackers, maybe you should consider using a hardware wallet instead. Wallets from Trezor and Ledger, for example, are trusted by thousands of crypto coin holders because they allow offline management, can be recovered even if the device is lost, are cross-compatible, are getting audited frequently, and feature robust authorization procedures. If you want to learn more about hardware wallets, check out our detailed guide on how to keep your cryptocurrency safe with them.

Have you used obscure web-based wallets like Shitcoin? How did it go? Share your experience with us in the comments down below, or join the discussion on our socials, on Facebook and Twitter.