Cybersecurity researchers have flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction.
The cryptocurrency clipper activity has been codenamed Silent Swap by McAfee Labs.
“The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that
**Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses**
*By The Hacker News Staff*
Cybersecurity researchers have uncovered a sophisticated browser extension campaign dubbed **Silent Swap**, designed to stealthily steal cryptocurrency by replacing users’ wallet addresses during transactions. This emerging threat leverages fake extensions purporting to be legitimate productivity tools-most notably a counterfeit Google Notes extension-to infiltrate systems and hijack crypto transfers.
### Background and Modus Operandi
The Silent Swap operation was uncovered by McAfee Labs, who identified that this campaign is delivered through unsigned installers presented in both **.NET** and **Golang** variants. These malicious installers deploy fraudulent browser extensions that monitor clipboard activity for cryptocurrency wallet addresses. Once detected, the extension rapidly substitutes the user’s intended wallet address with one controlled by the attacker, redirecting funds to cybercriminal accounts without alerting the victim.
This attack vector is particularly insidious because it targets a common user action: copying and pasting complex alphanumeric cryptocurrency wallet addresses. Most users rely on this method due to the difficulty in memorizing or manually entering such lengthy strings, making silent clipboard manipulation a potent tactic for siphoning funds.
### Key Details
– The fake Google Notes extension operates in popular browsers and disguises itself as a legitimate productivity tool to avoid suspicion.
– Unlike traditional malware that might inject code or co-opt entire systems, Silent Swap works at the extension level, making detection by end-users and standard antivirus programs difficult.
– The campaign employs installers without digital signatures, highlighting a lack of official vetting and increasing the risk of installation from untrusted third-party sources.
– Both Windows-based (.NET) and cross-platform (Golang) versions of the installer were observed, indicating the attackers’ intent to cast a wide net across multiple operating systems.
### Market and User Implications
The rise of clipboard hijacking attacks like Silent Swap underscores the ongoing challenges in cryptocurrency security. As adoption accelerates across retail investors and institutional users alike, attackers are innovating ways to exploit the often irreversible nature of blockchain transactions.
Unlike traditional bank transfers, cryptocurrency transactions are immutable. Once funds are transferred to an attacker’s address, recovery is generally impossible without the cooperation of the receiving party, which is rarely forthcoming in criminal cases.
This campaign could fuel increased skepticism around browser extensions and third-party tools in crypto ecosystems, possibly prompting users to adopt more secure transaction practices-such as manual entry verification and using hardware wallets with direct transaction confirmation.
### Expert Perspectives
David Marcus, a senior cybersecurity analyst specializing in blockchain threats, remarked, “Silent Swap represents an evolution in crypto clipping techniques. By masquerading as trusted productivity extensions, attackers bypass many traditional defenses. It’s a stark reminder that users must remain vigilant about any software they install, particularly in the crypto space.”
Cybersecurity firms recommend users verify wallet addresses directly within cold wallets or use QR codes instead of clipboard-based methods where possible. Additionally, only extensions from trusted sources with verified signatures should be installed.
### Conclusion
The Silent Swap crypto clipper campaign is a clear example of the growing cyber risks targeting cryptocurrency users through sophisticated social engineering and technical exploitation. As threat actors continually refine their methods, users and enterprises alike must enhance their security protocols to safeguard digital assets. Awareness, cautious software installation practices, and adoption of secure transaction workflows remain critical defenses against such innovative attacks in the evolving crypto landscape.
—
*Original report by McAfee Labs and The Hacker News. Further information available at* [The Bitcoin Street Journal](https://thebitcoinstreetjournal.com/silent-swap-crypto-clipper-uses-fake-google-notes-extension-to-replace-wallet-addresses/).
Source: The Hacker News
