XOOMAR
Malicious browser extension intercepting crypto wallet data on a dark cybersecurity-themed laptop scene
CybersecurityJuly 10, 2026· 8 min read· By XOOMAR Insights Team

Silent Swap Hijacks Google Notes Extension for Crypto Theft

Share
Updated on July 10, 2026

Silent Swap shows that crypto theft doesn't need a smart contract exploit when a malicious Google Notes extension can hijack the payment address before the user hits send. The attack lives in a boring place: the clipboard.

XOOMAR Intelligence

Analyst Take

73/ 100
High
4 sources analyzedMedium confidenceTrend10Freshness100Source Trust85Factual Grounding88Signal Cluster40

The malicious Silent Swap Google Notes extension was flagged by McAfee and covered by TechRadar Pro. It masquerades as a simple note-taking tool for Chromium-based browsers, while quietly watching for copied crypto wallet addresses and replacing them with attacker-controlled strings.

That makes this less a story about blockchain weakness than browser trust abuse. Crypto users often focus on wallets, exchanges, and seed phrases. Silent Swap attacks the handoff between them.

A fake Google Notes extension turns the browser into the crypto attack surface

Silent Swap is malicious because it behaves normally enough to avoid immediate suspicion. According to the source material, the fake Google Notes extension opens a small note window, lets users type and save notes, supports color-coding, and allows searching through saved notes. That visible utility is cover.

The real payload runs out of sight. McAfee says the extension’s malicious logic sits in background service-worker scripts and content scripts. The victim sees a basic productivity add-on. The browser sees code with access that a note app should not need.

“McAfee Advanced Threat Research has identified an active browser-extension campaign designed to steal cryptocurrency by silently substituting wallet addresses the moment a user initiates a transaction.”

That quote, from McAfee Labs, is the core of the case. The attacker does not need the victim’s seed phrase. They only need one copied destination address, one rushed paste, and one irreversible transfer.

This matters beyond one extension. As legitimate crypto payments keep moving into mainstream fintech infrastructure, as seen in XOOMAR’s coverage of Nium’s Cypher acquisition and crypto payments push, the browser becomes part of the payment path. Silent Swap shows how weak that path can be when an extension gets the wrong permissions.


Silent Swap swaps wallet strings in the one place users trust too much

The attack chain is brutally simple. A user installs the malicious notes extension, likely after encountering it through phishing, social engineering, shady forums, or dubious websites. The extension appears to work. Then the user copies a crypto wallet address.

Silent Swap monitors the clipboard for strings that look like wallet addresses. TechRadar’s source material describes those as seemingly random strings of 26 to 42 alphanumeric characters. When the extension spots one, it replaces the copied address with an attacker-controlled address.

The victim then pastes what looks like a valid wallet string into a wallet or exchange withdrawal field. If they do not compare the destination carefully, they send funds to the attacker.

The trick works because wallet addresses are not human-readable. Most users cannot memorize them. Many users check only the first and last few characters. TechRadar notes that researchers advise against relying on that habit, because attackers can craft lookalike addresses that differ only in a few characters.

The strongest counterpoint is that users can stop this manually. They can compare the full destination string before confirming. That is true. The problem is that Silent Swap attacks a workflow built around copy and paste, where speed and fatigue favor the attacker.

The hard numbers are small, which is exactly why the theft works

The most important number in the available reporting is not a stolen total. It is the address length: 26 to 42 alphanumeric characters. That range is long enough to push users toward copying, but short enough for attackers to pattern-match in real time.

McAfee’s deeper findings add more concrete indicators:

Indicator Reported detail
Malware name Silent Swap
Disguise Google Notes extension
Browser family Chromium-based browsers, including Google Chrome, Brave, and Microsoft Edge
Installer types Unsigned installers observed in .NET and Golang variants
Technique Clipboard-aware crypto clipper
C2 method Blockchain-resolved command-and-control
Observed C2 Zebregts[.]com
Geographic footprint Globally distributed, with a pronounced concentration in India

The attacker’s economics are ugly. Traditional phishing often needs a victim to enter a password, approve a prompt, or reveal a seed phrase. A clipboard jacker needs less. It waits until the user is already making a legitimate transfer, then changes the destination.

Once the transaction is sent, TechRadar’s source material says the funds are almost certainly irretrievably gone. The narrow exception is if the funds are being sent from a centralized exchange such as Coinbase, and the victim spots the attack quickly enough to ask support to freeze the transaction. In other cases described by the source, once the money is sent, it’s gone.

That irreversibility is the financial engine of the scam.

McAfee’s technical findings point to forced extension loading, not a simple store problem

This case should not be reduced to “Chrome Web Store missed another bad extension.” McAfee’s reporting says the campaign is delivered through unsigned installers that deploy the malicious extension. It also describes Chromium trust-layer abuse, where the installer tampers with protected browser settings files and recalculates verification values so the browser treats the extension as legitimate.

That detail matters. The browser is not just hosting a bad add-on. In McAfee’s account, the installer tries to bend the browser’s own integrity checks around the attack.

There is a limit, though. McAfee says updated Chrome and Edge versions require the victim to manually turn on developer mode for the extension to load properly. Outdated Chromium-based browsers remain at high risk, and attackers can still use social engineering to push users into enabling developer mode.

The campaign also uses a technique McAfee refers to as EtherHiding. In plain terms, the extension does not hardcode its command-and-control domain. It queries a public blockchain RPC endpoint, calls a read-only smart contract method, and decodes the response to find the active C2. McAfee observed that C2 as Zebregts[.]com at the time of analysis.

That makes takedown harder. The attacker can rotate infrastructure by changing a smart contract value instead of shipping new malware.

Crypto users should treat browser extensions like financial software now

The practical lesson is sharp: if a browser profile touches crypto, its extensions should be treated like financial software, not decoration.

McAfee flagged three permission red flags for the fake Google Notes extension:

  • All-URL access: It can inject content scripts into every site the user visits.
  • Browsing history access: It can inspect where the user has been.
  • Clipboard read and write access: It can see and change copied content.

A note-taking tool does not need that combination.

Users should review installed extensions and remove anything they do not clearly remember installing. They should avoid unsigned executables from non-authoritative sources, especially anything marketed through shady forums or cracked-software channels. They should keep endpoint protection enabled and current.

For crypto transfers, the safest habit is slower and more annoying: cross-check the destination address before sending. McAfee recommends visually verifying the first and last six characters against the original source, ideally on a separate device. TechRadar’s source material adds the stronger caution: checking only the first and last few characters may not be enough if attackers craft close lookalikes.

Teams holding crypto should draw the same conclusion at policy level. Managed browsers, extension allowlists, blocked sideloading, and scrutiny of developer mode are financial controls when company funds can move through a browser. This is the same broader pressure point XOOMAR has tracked in legitimate Google product workflows, from Google’s AI product discovery tools to Google Photos video remix features: browser and app utilities increasingly sit inside daily decision paths. Attackers know that.

The next malicious Chrome extension campaign may aim even earlier in the transfer flow

Silent Swap’s thesis is simple: wait until the victim has already decided to pay, then corrupt the destination. The next scenario to watch is whether similar campaigns move earlier in the flow, before the clipboard stage, through fake wallet pop-ups, altered QR codes, or interference between browser extensions.

That is analysis, not a claim from the source. The evidence that would support it would be new reporting showing malicious extensions manipulating transaction previews, wallet prompts, or address displays before copy and paste occurs. Evidence that would weaken the thesis would be browser-level controls that reliably block unsigned extension loading, detect clipboard tampering, and warn users when a note app asks for clipboard write access.

For now, the evidence is enough to change behavior. Silent Swap turns a fake Google Notes extension into a crypto theft tool by attacking the smallest checkpoint in the payment process. The browser is now part of the crypto payment stack. Treating it as anything less gives attackers the cheapest route to the money.

Key Takeaways

  • Silent Swap shows that crypto theft can happen through clipboard manipulation rather than blockchain or wallet exploits.
  • Malicious browser extensions can hide behind useful features while abusing permissions in the background.
  • Crypto users should verify pasted wallet addresses before sending funds, especially when using browser add-ons.
XOOMAR

Written by

XOOMAR Insights Team

Research and Editorial Desk

The XOOMAR Insights Team pairs automated research with human editorial judgment. We track hundreds of sources across technology, fintech, trading, SaaS, and cybersecurity, cross-check the facts, and explain what happened, why it matters, and what to watch next. We do not just rewrite headlines. Every article is fact-checked and scored for reliability before it goes live, and we link back to the original sources so you can verify anything yourself.

Related Articles

Anonymous hacker in custody before glowing cybersecurity shields, locks, and code matrixCybersecurity

Accused Scattered Spider Teen Dragged to US in $100M Case

A 19-year-old accused Scattered Spider member is in U.S. custody over a case tied to 100-plus intrusions and $100M in ransoms.

Jul 3, 20266 min
Generic browser security update with shields, locks, and repaired digital vulnerabilitiesCybersecurity

18 Severe Flaws Push Chrome 149 Update Into a Must-Do

Chrome 149 fixes 18 severe vulnerabilities, including four critical bugs. No active exploits are flagged, but the patch shouldn't wait.

Jun 28, 20265 min
Smartphone order history targeted by phishing scam, protected by digital shield in dark cybersecurity sceneCybersecurity

Fake Receipts Hijack Shop App in Callback Phishing Trap

Scammers are planting fake receipts inside Shop, turning trusted order histories into phone scam bait.

Jun 26, 20267 min
Dark cybersecurity scene showing a Mac-like laptop, fake prompt, mounted disk, locks, and stolen data streams.Cybersecurity

Fake CAPTCHA Turns macOS ClickFix Attack Into Mac Heist

A fake CAPTCHA pushes Mac users into Terminal, launching AMOS to steal browser, wallet, Keychain and app data.

Jun 23, 20267 min
USB malware infecting a laptop and targeting crypto wallet data in a dark cybersecurity sceneCybersecurity

USB Crypto Malware Weaponizes Windows Shortcut Files

A USB worm turns Windows shortcuts into crypto theft traps, swapping wallet addresses and hunting seed phrases before funds move.

Jun 20, 20268 min
AI product finder dashboard linking expert-tested tech devices in a sleek futuristic workspaceTechnology

60-Day Prices Hand Product Finder a Google AI Edge

Tom's Guide wants to turn expert-tested reviews, live deals and 60-day price histories into a smarter shopping shortcut.

Jul 10, 20266 min
Frustrated mapping professionals view generic digital Earth screens in a futuristic tech workspace.Technology

2027 Cutoff Jolts Google Earth Pro Desktop Power Users

Google will end new Google Earth Pro desktop downloads in 2027, angering pros who built workflows around the free mapping tool.

Jul 10, 20268 min
Underused enterprise GPU servers in a futuristic AI data center under executive scrutinyTechnology

Half-Empty GPU Utilization Rattles Wall Street's AI Bet

86% of enterprises say their GPUs run at half capacity or less, putting AI capex plans under a harsher spotlight.

Jul 10, 20269 min
Dramatic grass-court tennis match with global map overlay symbolizing a major Wimbledon upset.Global Trends

Sinner Crushes Djokovic's 25th Slam Bid at Wimbledon

Sinner erased Djokovic's 25th Slam chase in straight sets and booked a Wimbledon final with Zverev.

Jul 10, 20265 min
AI agents analyzing market charts on a futuristic trading floor under human oversightTrading

JPMorgan AI Agents Humble 60/40 in Portfolio Simulations

All eight JPMorgan AI agents beat 60/40 and a rules-based model in simulations. The bank still won't hand them the portfolio.

Jul 10, 20268 min

Don't miss the signal

Get our weekly roundup of the stories that matter across tech, fintech, and trading. No noise, just signal.

Free forever. No spam. Unsubscribe anytime.