A threat actor successfully breached the AdsPower browser platform, injecting malicious code that manipulated the functionality of cryptocurrency wallet extensions and siphoned users’ funds. The attack, which occurred on January 21, remained undetected for three days until the company identified the threat and eradicated the malicious payload.
According to SlowMist founder Yu Xian, the malware functioned as a backdoor, extracting mnemonic phrases and private keys from compromised crypto wallet extensions. The stolen credentials were then transmitted to a remote server controlled by the attacker, enabling seamless fund withdrawals from victims’ wallets.
AdsPower, a company specializing in multi-user browsers with a focus on privacy, disclosed that users who downloaded and installed cryptocurrency wallet extensions between 10:00 UTC on January 21 and 10:00 UTC on January 24 may have been affected. To prevent further financial losses, all targeted extensions were forcibly removed from users’ browsers.
Affected clients were promptly notified by AdsPower and urged to transfer their assets to secure accounts before attackers could exploit the stolen credentials. However, not all users managed to act swiftly, leading to substantial financial damages.
Security experts suspect that the attack was meticulously orchestrated, given its precise timing and execution. The breach of a platform designed to enhance privacy serves as a stark warning to other services offering similar solutions, as cybercriminals continue to refine their attack methodologies.
The AdsPower incident underscores the critical importance of regular security audits and rigorous oversight of third-party extensions, particularly those linked to cryptocurrency transactions. Users are strongly advised to utilize hardware wallets and two-factor authentication to fortify the protection of their digital assets.
