A crypto investor, going by the moniker Sell When Over, turned to Twitter to break down an alarming ordeal where a hacker siphoned off $800k from his crypto wallets within a mere 46-hour timeframe. The main problem seems to revolve around a potential Google Chrome exploit, facilitated possibly through delayed updates or undetected malware, leading to the unauthorized installation of malicious extensions.
Sell When Over recounted how he deferred a Chrome update only to be nudged into it by a subsequent Windows update. Post-restart, Chrome’s alterations were immediate: Vanished tabs and reset extension logins. This anomaly forced him to re-import his wallet seeds—a process he meticulously carried out from a secondary, uncompromised device.
However, it was the discovery of two peculiar extensions, “Sync Test Beta” and “Simple Game,” coupled with an unsolicited activation of auto-Korean translation, that hinted at a deeper compromise. Intriguingly, one specific wallet app, spared the re-import process, remained unaffected, pinpointing the breach’s origin to a singular compromised PC.
Further digging into these extensions revealed alarming functionalities. “Sync Test Beta,” a vividly colored extension, was identified as a keylogger, secretly transmitting data to an external PHP script. On the other hand, “Simple Game” seemed to monitor browser tab activities. Sell When Over lamented the hindsight wisdom of a complete PC wipe at the slightest anomaly, especially when such peculiarities coincide with significant updates like Chrome’s UI overhaul.
As the thread expanded, Sell When Over unveiled a critical security lapse—a Google login breach linked to an obscure Windows device, possibly spoofing a familiar device name to bypass early detection. This breach was traced back to a VPS hosted by Kaopu Cloud, notorious within hacker circles for its role in various cyber misdemeanors. Despite having two-factor authentication (2FA) enabled, the attacker navigated around it, leaving the exact breach method—ranging from OAuth phishing to cross-site scripting—a matter of speculation.
The incident served as a brutal wake-up call, with Sell When Over sharing several key takeaways:
Amidst financial loss, Sell When Over clarified that his hardware wallet remained secure, dismissing any speculation around tax evasion motives behind this revelation. Despite a portion of the stolen funds beginning to be laundered, a hopeful $150k bounty was offered for their return, alongside considerations for a bounty-based forensic investigation.
The saga concluded on a note of continued vigilance, especially against the backdrop of Google’s questionable decision to thread security alerts—a move that potentially masked the intrusion.
A crypto investor, going by the moniker Sell When Over, turned to Twitter to break down an alarming ordeal where a hacker siphoned off $800k from his crypto wallets within a mere 46-hour timeframe. The main problem seems to revolve around a potential Google Chrome exploit, facilitated possibly through delayed updates or undetected malware, leading to the unauthorized installation of malicious extensions.
Sell When Over recounted how he deferred a Chrome update only to be nudged into it by a subsequent Windows update. Post-restart, Chrome’s alterations were immediate: Vanished tabs and reset extension logins. This anomaly forced him to re-import his wallet seeds—a process he meticulously carried out from a secondary, uncompromised device.
However, it was the discovery of two peculiar extensions, “Sync Test Beta” and “Simple Game,” coupled with an unsolicited activation of auto-Korean translation, that hinted at a deeper compromise. Intriguingly, one specific wallet app, spared the re-import process, remained unaffected, pinpointing the breach’s origin to a singular compromised PC.
Further digging into these extensions revealed alarming functionalities. “Sync Test Beta,” a vividly colored extension, was identified as a keylogger, secretly transmitting data to an external PHP script. On the other hand, “Simple Game” seemed to monitor browser tab activities. Sell When Over lamented the hindsight wisdom of a complete PC wipe at the slightest anomaly, especially when such peculiarities coincide with significant updates like Chrome’s UI overhaul.
As the thread expanded, Sell When Over unveiled a critical security lapse—a Google login breach linked to an obscure Windows device, possibly spoofing a familiar device name to bypass early detection. This breach was traced back to a VPS hosted by Kaopu Cloud, notorious within hacker circles for its role in various cyber misdemeanors. Despite having two-factor authentication (2FA) enabled, the attacker navigated around it, leaving the exact breach method—ranging from OAuth phishing to cross-site scripting—a matter of speculation.
The incident served as a brutal wake-up call, with Sell When Over sharing several key takeaways:
Amidst financial loss, Sell When Over clarified that his hardware wallet remained secure, dismissing any speculation around tax evasion motives behind this revelation. Despite a portion of the stolen funds beginning to be laundered, a hopeful $150k bounty was offered for their return, alongside considerations for a bounty-based forensic investigation.
The saga concluded on a note of continued vigilance, especially against the backdrop of Google’s questionable decision to thread security alerts—a move that potentially masked the intrusion.