The extension, Shitcoin Wallet, Chrome extension ID: ckkgmccefffnbbalkmbbgebbojjogffn, was launched last month on December 9. With Shitcoin Wallet, users managed their Ether (ETH) coins, and Ethereum ERC20-based tokens -- tokens usually issued for ICOs (initial coin offerings) either from the browser or by installing a desktop app.
Malicious Behavior with the extension
Harry Denley, Director of Security at the MyCrypto
platform, discovered that the chrome extension isn't what it
promises to be. He found malicious code within the extension. In a
blog, zdnet reported that, "According to Denley, the extension is
dangerous to users in two ways. First, any funds (ETH coins and
ERC0-based tokens) managed directly inside the extension are at
Danley, said that the extension traffics all the keys on its system to a third party website at erc20wallet[.]tk.
The malicious code works by the following process
1. The user install the chrome extension Shitcoin
3. If the user navigates to any of these 77 websites, it injects an additional code .
4.The code activates on five websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange
5. After activation, the code saves the user's login credentials, keys and other data then siphon it to a third party.
It is not constructively clear yet if the Shitcoin Wallet
team is responsible for the malicious behavior or a third party
infiltrated the extension. Shitcoin Wallet team is silent on the
allegations and have yet to give any comments on the matter.
Both 32-bit and 64-bit installers are available for the user to download on the extension's official website. VirusTotal, a website that aggregates the virus scanning engines of several antivirus software makers, showed that both versions were clean. But on a warning note, the desktop app may contain the code or something even worse.