Security researchers have uncovered a harmful Google Chrome extension that targets users of MEXC, a centralized cryptocurrency exchange operating in more than 170 countries. The extension pretends to be a trading automation tool but is designed to quietly steal sensitive API credentials from user accounts.
The extension, called MEXC API Automator, is listed on the Chrome Web Store and has been downloaded by at least 29 users. It was published in early September 2025 by a developer using the name “jorjortan142” and remains available at the time of reporting.
According to an analysis by Socket, the extension abuses its access to the MEXC website to create new API keys on behalf of users. During this process, it secretly enables withdrawal permissions, conceals those permissions from the user interface, and then sends the generated API key and secret to a Telegram bot controlled by the attacker.
On the Chrome Web Store, the extension claims to help users connect automated trading bots to MEXC by simplifying API key creation. In reality, this functionality gives the attacker full control over any MEXC account accessed from a browser where the extension is installed.
Once active, the extension waits for the user to visit MEXC’s API management page. It detects this by monitoring the page URL and injects a content script directly into the authenticated session. From there, it automatically creates a new API key, ensures withdrawals are allowed, and manipulates the page so it appears to the user that withdrawal access is turned off.
As soon as the access key and secret key are generated, the extension captures both values and sends them out using an encrypted HTTPS request to a hard-coded Telegram bot. This gives the attacker the ability to place trades, initiate withdrawals, and potentially drain funds linked to the compromised account.
The risk does not end when the extension is removed. As long as the stolen API keys remain active, attackers can continue accessing the account remotely. This allows them to operate independently of the victim’s browser and without needing login credentials.
Researchers noted that the attack chain is especially effective because it relies on trusted infrastructure. The Chrome Web Store is used to distribute the malware, the MEXC web interface becomes the execution environment, and Telegram serves as the data exfiltration channel. By exploiting a legitimate API workflow inside an already logged-in browser session, the attacker bypasses the need for passwords or direct authentication attacks.
Attribution remains unclear, but the developer name used for the extension appears to match an account on X that promotes a Telegram bot called SwapSushiBot. The same bot has also been advertised on TikTok and YouTube, with the associated YouTube channel created in August 2025.
Socket warned that this technique could easily be reused against other platforms. Any web-based service that generates long-lived API keys inside authenticated sessions could be targeted using similar malicious browser extensions. Future versions of this threat may include stronger obfuscation, broader browser permissions, and support for multiple financial platforms within a single extension.