Advertisement
AD
Advertisement
AD

Holders of XRP, ETH, BTC, and Other Tokens Targeted in New Malware Campaign

Wed, 1/07/2026 - 20:00
Cybersecurity researchers at McAfee have uncovered "Silent Swap," a highly sophisticated malware campaign that forcibly sideloads a fake "Google Notes" extension into Chromium browsers.
Advertisement
Holders of XRP, ETH, BTC, and Other Tokens Targeted in New Malware Campaign
Cover image via depositphotos.com
Google
Advertisement

Cybersecurity researchers at McAfee Advanced Threat Research have uncovered an extremely sophisticated cryptocurrency-stealing malware campaign dubbed "Silent Swap." 

It relies on a malicious browser extension to intercept and modify user clipboards and then swap legitimate cryptocurrency wallet addresses with fake ones. 

The bad actors are hunting for Bitcoin (BTC), Ethereum (ETH), XRP, Bitcoin Cash, Dash, as well as other cryptocurrencies.  

HOT Stories
Holders of XRP, ETH, BTC, and Other Tokens Targeted in New Malware Campaign 2.6T Shiba Inu (SHIB) Exits to On-Chain Ahead of Q3; 3-Month Trend Saves XRP at $1, Citi Slashes Bitcoin Price Target by 27% Because of AI - Morning Crypto Report

Silent Swap is different from primitive "crypto clippers" due to its alarming level of sophistication. 

Advertisement

You Might Also Like

The campaign relies on advanced browser manipulation, decentralized command-and-control (C2) infrastructure, and other cutting-edge techniques.  

The "Google Notes" disguise 

The infection typically begins with the victim downloading unsigned .NET or Golang installers. They are often disguised as free or cracked versions of legitimate software. 

Advertisement

The installer then deploys a malicious extension that masquerades as a benign "Google Notes" application.

By tampering with the browser's configuration files, Silent Swap forcibly sideloads itself into Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, and Opera

Normally, Chromium browsers store security verification data. Silent Swap bypasses this defense by recalculating and updating these security values after injecting its code.

The "Google Notes" extension, which gets installed by uninitiated victims, grants itself invasive permissions.

Server-side wallet mapping

As soon as the extension detects a copied address matching the regex patterns for BTC, ETH, XRP, Bitcoin Cash, or Dash, it does not use a hardcoded replacement. Instead, it queries the attacker's backend server.

The malicious actors behind Silent Swap also do not hardcode their command-and-control (C2) domains into the malware. Instead, they utilize a technique known as "EtherHiding."

Silent Swap has a globally distributed infection footprint, with a particularly high concentration of victims in India.

Advertisement
Advertisement
Advertisement
Advertisement
Subscribe to daily newsletter

Recommended articles

Our social media
There's a lot to see there, too