Another Malicious Crypto Wallet App Stealing Private Keys and Data

Harry Denley, director of security at MyCrypto, “an open-source…tool for generating ether wallets,” has warned the public about a malicious crypto wallet app called “Shitcoin Wallet,” which, according to Zero Day, “was caught injecting JavaScript code on web pages to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals.”

Shitcoin Wallet reportedly became available for download at the Google Chrome web store on December 9th. At press time, the Shitcoin Wallet is no longer available at its Google Chrome address.

Denley says any funds run through the Shitcoin Wallet extension could be lost. The application also installs malicious JavaScript code designed to steal login details and private keys when people interface with 77 websites, including several popular cryptocurrency exchanges and storage applications.

Affected legitimate applications allegedly included:

  •, Idex.Market,,, and

According to Zero Day, “Once activated, the malicious JS code records the user’s login credentials, searches for private keys stored inside the dashboards of the five services, and, finally, sends the data to erc20wallet[.]tk.”

As well, “It is unclear if the Shitcoin Wallet team is responsible for the malicious code, or if the Chrome extension was compromised by a third-party. A spokesperson for the Shitcoin Wallet team did not reply to a request for comment before this article’s publication.”

Shitcoin Wallet is one of many cryptocurrency-stealing “wallet apps” in circulation.

Several wallet scams are profiled in Harry Denley’s end-of-year crypto security blog post, including, “The CCB Cash extension…designed to steal your login credentials… (which) stole over 12 BTC.”

Denley also wrote about scams stemming from cryptocurrency airdrops, whereby exchanges or token projects give away free crypto tokens for promotion.”Unsolicited airdrops can be useful(?),” Denley writes, “but be vigilant to inform yourself as to what they are advertising. This story investigates a big airdrop campaign that ties into a fake MyEtherWallet UI to steal your wallet secrets!”

Denley also wrote about Android APK’s (Android Package Kits) impersonating the Trezor hardware wallet, MetaMask and My Crypto Android and, “designed to steal your wallet secrets (private keys, mnemonics, etc.)…”

Reactions to the news about Shitcoin Wallet have been varied, with Ted Ahern musing on Twitter: “If you can’t trust Shitcoin Wallet, who can you trust?”

Sponsored Links by DQ Promote



Send this to a friend