Malicious Chrome Extension Steals Users’ Bitcoins

Bitstamp, the Slovenian Bitcoin exchange portal, is warning Google Chrome users that an extension is stealing their Bitcoin when making a transfer.

This is a Chrome extension, called “BitcoinWisdom Ads Remover”, which removes ads from the, a website for consulting all kinds of Bitcoin-related statistics, presented in easy-to-understand charts.

Bitstamp, a website which lets users exchange Bitcoin for US dollars, claims that this extension contains malicious code that is redirecting payments to its own Bitcoin address, instead of the one intended by the user making the transaction.

Devon Weller, Bitcoin Web app developer, also confirmed the findings of Bitstamp. According to the Tennessee-based developer, the Chrome extension was secretly replacing QR codes with its own.

QR codes are one of the methods through which users can make payments or transfer Bitcoin from one account to the other.

Due to the fact that Bitcoin account (named wallet) addresses are extremely long strings of random characters, some Bitcoin exchange portals provide the option of taking the whole string and rendering as a QR code. After that, users can scan the QR code with their phone (running a Bitcoin payments app) and approve the payment/transfer.

The “BitcoinWisdom Ads Remover” Chrome extension was abusing its position to manipulate a Web page’s source code and replace the QR code of a payment’s destination with one of its own.

As Bitcoin doesn’t use vanity addresses (like name.surname), users still need technologies like QR codes in order to simplify the process of making a transaction, and people use them because typing a 30- or 40-character-long string can sometimes lead to typing errors, and also a lot of wasted time.

According the latest information, the Chrome extension is still available through Google’s Chrome Web Store. PC users reported similar problems with the same extension in July, last year.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.