Crypto Scam 'ShieldGuard' Dismantled After Malware Discovery
🚨 Crypto Scam ‘ShieldGuard’ Dismantled After Malware Discovery
A cryptocurrency scam known as ‘ShieldGuard’ has been dismantled after researchers identified it as a malicious browser extension designed to harvest sensitive user data. The operation, uncovered by Okta Threat Intelligence, initially presented itself as a security tool aimed at protecting crypto wallets from phishing and harmful smart contracts.
🛡️ How It Worked
ShieldGuard combined social media promotion, a browser extension listing, and a token ‘airdrop’ incentive model to attract users. Participants were encouraged to download the extension and promote it in exchange for future cryptocurrency rewards. The project claimed its software could detect suspicious transactions before users approved them. However, analysis revealed a very different purpose.
🔍 Key Findings
Okta found that the extension was built to extract valuable information from users interacting with major crypto platforms, including Binance, Coinbase, and MetaMask. It also targeted general browsing activity and Google services. Key capabilities included:
- Harvesting wallet addresses across all visited websites
- Capturing full HTML content from crypto platforms after login
- Tracking users persistently across sessions
- Executing remote code via a command-and-control (C2) server
The malware used obfuscation and a custom JavaScript interpreter to bypass Chrome security restrictions, allowing attackers to deliver and execute code dynamically without triggering standard protections. Further investigation showed that the infrastructure enabled attackers to collect account balances, transaction histories, and portfolio data. In some cases, users could be redirected to fake warning pages controlled by the attackers.
🌐 Broader Threat Network
Evidence suggested that the operators may be Russian-speaking, based on language indicators in the code. Researchers also identified links to another campaign known as ‘Radex,’ indicating a broader threat network.
🛠️ Disruption Efforts
Okta worked with industry partners to disrupt the operation by removing the extension from the Chrome Web Store, taking down associated domains, disabling backend infrastructure, and blocking user sign-in functionality. These actions effectively severed communication between infected browsers and the attackers’ servers.
⚠️ User Advisory
Users are advised to limit plugin use, verify sources, and treat offers of free tokens with caution.