The **steals crypto** attack is back, this time targeting Google Chrome users through a compromised extension called QuickLens. QuickLens, initially a legitimate tool for Google Lens searches, was hijacked to inject malware and attempt to steal cryptocurrency from thousands of unsuspecting users. This incident highlights the growing threat of malicious browser extensions and the importance of vigilance when installing and using them.
The extension, once boasting around 7,000 users and a Google featured badge, was compromised on February 17, 2026, with the release of version 5.8. This update contained malicious scripts designed to execute ClickFix attacks and steal sensitive information.
Malicious Intent Behind the QuickLens Extension
Security researchers at Annex were the first to raise the alarm, reporting that the extension’s ownership had changed hands after being listed for sale on ExtensionHub. The new owner, operating under “LLC Quick Lens,” introduced a new privacy policy hosted on a questionable domain. Shortly after, the malicious update was unleashed.
Version 5.8 requested additional browser permissions, including declarativeNetRequestWithHostAccess and webRequest, raising red flags. It also included a rules.json file that stripped crucial browser security headers like Content-Security-Policy (CSP), X-Frame-Options, and X-XSS-Protection, weakening website defenses against malicious scripts.
Furthermore, the extension established communication with a command-and-control (C2) server at api.extensionanalyticspro[.]top. It collected user data such as a persistent UUID, country of origin, browser type, and operating system, and then contacted the C2 server every five minutes for instructions. BleepingComputer’s analysis revealed that the extension received and executed malicious JavaScript scripts on every page load, bypassing security measures due to the stripped CSP headers.
ClickFix Attacks and Cryptocurrency Theft
The first malicious payload displayed fake Google Update prompts, leading to a ClickFix attack. Users were tricked into running code on their computers, resulting in the download of a malicious executable named “googleupdate.exe.” This executable then launched a hidden PowerShell command to connect to a remote server and execute further malicious code.
Another JavaScript agent was designed to **steals crypto** wallets and credentials. The extension targeted popular cryptocurrency wallets like MetaMask, Phantom, Coinbase Wallet, Trust Wallet, and others. It attempted to steal activity, seed phrases, and other sensitive information to hijack wallets and steal digital assets. Additionally, the extension captured login credentials, payment information, and other sensitive form data.
This sophisticated attack demonstrates the evolving tactics of cybercriminals targeting cryptocurrency users.
Additional payloads were used to scrape Gmail inbox contents, extract Facebook Business Manager advertising account data, and collect YouTube channel information. There were also claims that macOS users were targeted with the AMOS (Atomic Stealer) infostealer, but this has not been independently verified. related Fraudulents news
Protecting Yourself from Malicious Extensions
Google has since removed QuickLens from the Chrome Web Store and is automatically disabling it for affected users. However, users who installed the extension should take immediate action to protect their data. Ensure the extension is fully removed, scan your device for malware, and reset passwords for any credentials stored in the browser. If you use any of the mentioned cryptocurrency wallets, transfer your funds to a new wallet immediately.
This incident is a stark reminder of the risks associated with browser extensions and the importance of exercising caution when installing them. Always verify the legitimacy of an extension before installing it, and be wary of extensions that request excessive permissions.
The **steals crypto** attack via the QuickLens Chrome extension serves as a critical warning to all internet users. Vigilance and proactive security measures are essential to protect your valuable digital assets in an increasingly dangerous online environment.




