Crypto Wallet Drainer Extension Investigation

Victim Profile

Wallet Type: MetaMask Assets: ~$3,200 in various tokens Experience Level: Intermediate (2 years in crypto) Security Practices: Hardware wallet for large amounts, extension for small

Attack Vector

Extension Details

Name: "MetaMask Helper - Gas Saver" Platform: Chrome Web Store (fake developer account) Ratings: 4.7 stars (fake reviews) Downloads: 1,200+ (likely fake) Permissions: "Read and change all your data on websites you visit"

Installation Context

• Found via Google search "MetaMask gas fee optimizer"
• Looked legitimate (official-looking icon, detailed description)
• Several "positive" reviews mentioning gas savings
• No obvious warnings during installation

Attack Timeline

Day 1: Installed extension Day 2-4: Normal usage, no issues noticed Day 5: Small test transaction (worked normally) Day 7: Larger transaction initiated → Assets stolen

Technical Analysis

Drainer Mechanism

1. Initial Hooks: Extension injected JavaScript into all pages
2. Wallet Detection: Monitored for wallet connections
3. Transaction Interception:
   • Waited for transaction signing
   • Replaced destination address
   • Modified amounts
   • Kept gas fees similar to avoid detection
4. Data Exfiltration: Sent private keys to C2 server

Infrastructure Analysis

• C2 Server: 185.231.154.12 (Russia)
• Wallet: 0x8f1c2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f
• Funds Movement: Through Tornado Cash mixer
• Total Stolen: ~$45,000 across multiple victims

Detection & Response

Discovery

1. Transaction Review: Noticed unfamiliar address in history
2. Balance Check: Assets missing from wallet
3. Extension Audit: Removed suspicious extension
4. Malware Scan: Detected malicious extension files

Immediate Actions

1. Containment:
   • Disconnected wallet from all sites
   • Revoked all token approvals (revoke.cash)
   • Transferred remaining assets to new wallet
   • Factory reset hardware wallet
2. Reporting:
   • Reported to Chrome Web Store
   • Filed police report
   • Reported to crypto exchanges
   • Submitted to Quiet-Report

Loss Assessment

Direct Loss: $3,200 (entire extension wallet) Prevented Loss: $15,000+ (main wallet unaffected) Time Cost: 8+ hours recovery and reporting

Technical Indicators

• Extension ID: ghijklmnopabcdefghijklmnopqrstuvwx
• Malicious domain: mm-helper-api[.]com
• Telegram bot for C2: @mm_helper_bot
• Ethereum addresses identified: 15+ related wallets

Recommendations

1. Only install extensions from verified developers
2. Review permissions carefully
3. Use separate wallets for extensions vs main assets
4. Regular security audits of installed extensions
5. Hardware wallets for significant amounts