Clipboard-Stealing Browser Extensions Can Swap Wallet Addresses
Two fresh reports show why browser extensions deserve the same suspicion as unknown desktop apps. McAfee Labs described a campaign it calls Silent Swap, where a fake “Google Notes” browser extension watches copied cryptocurrency wallet addresses and replaces them before the user pastes. Socket separately reported Chrome and Firefox extensions promoted as free VPN tools that added clipboard-stealing logic through later updates.
The common user-facing risk is simple: a browser add-on can sit close enough to web pages, forms, copied text, and wallet workflows to change what a user sends. That makes clipboard access a practical cleanup clue, not just a developer detail.
What McAfee Found
McAfee’s June 30, 2026 report says Silent Swap is distributed through a ZIP file named Google Chrome Update.zip. The package contains a fake extension folder called Google Notes and tries to convince the user to load it manually through Chrome’s developer-mode extension screen.
Once installed, the extension monitors clipboard activity. If it sees a cryptocurrency wallet address, it replaces that value with an attacker-controlled address. McAfee said the swapped-wallet list covered Bitcoin, Ethereum, XRP, Litecoin, Solana, Tron, Dogecoin, Dash, Cardano, and TON formats.
McAfee also listed useful indicators for checks, including devops-offensive[.]cc, freevpn-update[.]com, zebregts[.]com, and detections such as JTI/Suspect.1313283 and CryptoStealer.NE. Treat those as investigation clues, not a complete blocklist, because operators can rotate domains and file names.
What Socket Found
Socket’s June 29, 2026 report focused on extensions named VPN Go: Free VPN for Chrome and Firefox. Socket said the Chrome extension had about 100,000 users and the Firefox add-on had about 2,300 users before malicious behavior was added through version updates.
The Chrome version was reported to exfiltrate clipboard data and inject JavaScript into all sites. The Firefox version was reported to target cryptocurrency wallet addresses, mnemonic phrases, and private keys, and to transmit collected data to attacker-controlled infrastructure.
That update pattern is important. A browser extension can look harmless when first installed and become risky later if the publisher account, codebase, or update channel is abused. This is why extension cleanup should include old “free VPN,” notes, tab, search, coupon, and utility add-ons that users no longer actively trust.
Why Clipboard Abuse Is Easy to Miss
A wallet-address swap does not need to show pop-ups, change the homepage, or slow the browser down. The user copies one address, sees another address in the final payment form, and may not notice if only the first and last characters are checked casually.
That makes this different from noisy adware, but the cleanup habit is similar to the one used for unwanted extensions and browser hijackers. Review the extension list, remove add-ons you do not recognize, reset affected browser settings, and scan the device if a sideloaded extension or fake update package was involved.
If the browser also changed search settings, compare it with the recent SearchJack Chrome extension hijacking report. If the extension came from a fake browser update, deceptive download, or bundled installer, the broader Potentially Unwanted Programs guide and adware basics page explain the surrounding cleanup steps.
What to Check Now
Open the extensions page in each browser you use. In Chrome and Chromium-based browsers, check chrome://extensions/; in Firefox, check about:addons. Remove unknown or unused extensions, especially anything claiming to be a free VPN, notes tool, crypto helper, wallet assistant, download helper, search enhancer, or browser update component.
If you handle cryptocurrency, copy a wallet address into a plain text editor before sending funds and compare the full address with the intended destination. Do not rely only on the first and last few characters if an extension or fake update was recently installed.
Also check whether Chrome developer mode is enabled and whether any extension is loaded from a local folder. A normal Chrome Web Store install does not require extracting a ZIP file and clicking “Load unpacked.” If a guide asked you to do that for a browser update, treat it as suspicious.
Quick Check
If an extension can read or change data on every site, inject scripts, or was manually loaded from a ZIP, it should have a clear reason to exist. If you cannot explain why it needs that access, remove it, restart the browser, and verify wallet addresses before making any transaction.



