McAfee Exposes 'Silent Swap' Malware Stealing BTC, ETH, and XRP via Fake Chrome Extension
McAfee researchers have uncovered 'Silent Swap,' an advanced malware campaign that hijacks clipboard data in Chromium browsers via a fake 'Google Notes' extension to steal BTC, ETH, XRP, and other cryptocurrencies. The campaign uses server-side wallet swapping and 'EtherHiding' C2 infrastructure to evade detection.

McAfee Advanced Threat Research has identified a sophisticated cryptocurrency-stealing malware campaign called 'Silent Swap,' which forcibly injects a counterfeit 'Google Notes' browser extension into Chromium-based browsers to hijack clipboard data and redirect crypto transactions to attacker-controlled wallets.
The campaign targets a broad range of digital assets, including Bitcoin (BTC), Ethereum (ETH), XRP, Bitcoin Cash, Dash, and other cryptocurrencies. Unlike basic clipboard-hijacking tools known as 'crypto clippers,' Silent Swap employs advanced browser manipulation techniques, a decentralized command-and-control (C2) infrastructure, and server-side wallet substitution logic that sets it apart from more primitive threats.
Infections typically originate when a victim downloads an unsigned .NET or Golang installer, commonly distributed as a free or cracked version of legitimate software. Once executed, the installer deploys a malicious extension disguised as a harmless 'Google Notes' application. The extension then forcibly sideloads itself into Chromium-based browsers — including Google Chrome, Microsoft Edge, Brave, and Opera — by tampering directly with the browser's internal configuration files.
To evade standard browser security checks, Silent Swap recalculates and overwrites security verification values after injecting its code, effectively bypassing the browser's built-in integrity defenses. The 'Google Notes' extension, once installed, grants itself broad invasive permissions over the browser environment.
The wallet-swapping mechanism relies on server-side logic rather than hardcoded replacement addresses. When the extension detects a copied wallet address matching regex patterns for BTC, ETH, XRP, Bitcoin Cash, or Dash, it queries the attacker's remote backend server to retrieve a replacement address in real time. This approach makes static detection significantly more difficult.
The malware's C2 infrastructure also avoids hardcoded domains. Instead, operators use a technique known as 'EtherHiding,' which leverages blockchain data to obscure and dynamically serve command-and-control instructions, further complicating takedown efforts by security teams and researchers.
Silent Swap has been observed across a globally distributed victim base, with India recording a particularly high concentration of infections. The campaign's combination of social-engineering delivery, browser-level persistence, and decentralized infrastructure represents one of the more technically advanced crypto-theft operations documented to date by McAfee researchers.
Users are advised to download software exclusively from verified official sources, avoid cracked or unofficial installers, and regularly audit browser extensions for unrecognized or suspicious entries. Security teams recommend disabling developer mode in browsers where unnecessary, as sideloaded extensions typically require it to function.


