Malicious Chrome Extension Steals MEXC API Keys via Trading Tool Disguise

Malicious Chrome Extension Steals MEXC API Keys

A malicious Chrome extension, “MEXC API Automator,” masquerades as a trading tool, successfully stealing API keys from MEXC cryptocurrency exchange users and sending them to attackers via Telegram. Published September 1, 2025, the extension had 29 downloads at the time of reporting.

Why This Matters

Current security models often assume trust within the browser ecosystem, failing to account for compromised extensions. This attack bypasses traditional authentication mechanisms by exploiting an existing, authenticated session, leading to potential for significant financial losses – a single compromised key can grant attackers complete control over a user’s exchange account and associated funds.

Key Insights

• Chrome Web Store vulnerability: Malicious extensions can circumvent vetting processes and reach a wide audience.
• API key abuse: Automated API key generation combined with hidden withdrawal permissions dramatically increases the risk of exploitation.
• Telegram as exfiltration channel: Attackers commonly utilize Telegram bots for rapid credential harvesting and control.

Practical Applications

• Use Case: Attackers leverage compromised browser extensions to target cryptocurrency exchange users directly.
• Pitfall: Assuming browser extension security without robust vetting and runtime monitoring can lead to complete account takeover.

References:

• https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html