BTC Wires

Chrome Browser-Based Ethereum Wallet Injects Malicious JavaScript Code to Siphon Data

Cybersecurity expert Harry Denley tweeted that a popular Ethereum wallet known as the “Shitcoin Wallet” was possibly injecting malicious JavaScript code from open browser windows to steal data from users.

As indicated by Denley’s tweet, the Ethereum based crypto wallet software, Shitcoin Wallet is targeting MyEtherWallet, Binance and other well-known sources containing users’ credentials such as passwords and private keys to cryptocurrency.

The Shitcoin Wallet Chrome extension works by downloading a number of JavaScript files from an unknown server. Thereafter, the code searches for open browser window that contains website pages of the exchanges and Ethereum network tools.

The malicious JavaScript code attempts to scrape data input into those windows. As soon as it does, the data is transferred to an unknown server identified as “,” which is a top-level domain address. The address belongs to Tokelau group of South Pacific Islands that are part of the New Zealand’s territory.

Shitcoin Wallet Has Suspicious Features

Yes, that’s the truth. Shitcoin wallet was actually built for trouble online. As the name itself implies that it’s better to stay away from this Ethereum Wallet, Shitcoin Wallet reportedly contains some suspicious added features. According to the reports, this Ethereum Wallet was launched on December 9, 2019 and claims to have more than 2000 users. It is a web-based wallet comprising several extensions for different browsers.

A company blog post notes –

“It is a web wallet which has several extensions for different browsers, which I will discuss further in the article.”

A few days back, before the malicious JavaScript attack, Shitcoin Wallet declared the launch of its new desktop application, giving away 0.05 ETH to the users who download and install the wallet’s desktop application.

While the users might have received a small amount of free ETH, they have certainly compromised their personal data and have it scraped leaving it vulnerable to be used remotely.