Shitcoin Wallet reportedly became available for download at the Google Chrome web store on December 9th. At press time, the Shitcoin Wallet is no longer available at its Google Chrome address.
Affected legitimate applications allegedly included:
- MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange.
According to Zero Day, “Once activated, the malicious JS code records the user’s login credentials, searches for private keys stored inside the dashboards of the five services, and, finally, sends the data to erc20wallet[.]tk.”
As well, “It is unclear if the Shitcoin Wallet team is responsible for the malicious code, or if the Chrome extension was compromised by a third-party. A spokesperson for the Shitcoin Wallet team did not reply to a request for comment before this article’s publication.”
Shitcoin Wallet is one of many cryptocurrency-stealing “wallet apps” in circulation.
Several wallet scams are profiled in Harry Denley’s end-of-year crypto security blog post, including, “The CCB Cash extension…designed to steal your login credentials… (which) stole over 12 BTC.”
Denley also wrote about scams stemming from cryptocurrency airdrops, whereby exchanges or token projects give away free crypto tokens for promotion.”Unsolicited airdrops can be useful(?),” Denley writes, “but be vigilant to inform yourself as to what they are advertising. This story investigates a big airdrop campaign that ties into a fake MyEtherWallet UI to steal your wallet secrets!”
Denley also wrote about Android APK’s (Android Package Kits) impersonating the Trezor hardware wallet, MetaMask and My Crypto Android and, “designed to steal your wallet secrets (private keys, mnemonics, etc.)…”
Reactions to the news about Shitcoin Wallet have been varied, with Ted Ahern musing on Twitter: “If you can’t trust Shitcoin Wallet, who can you trust?”