Malicious Google Notes Extension Swaps Crypto Wallet Addresses

Malicious Google Notes Extension Swaps Crypto Wallet Addresses

First seen 2 Jul 2026, 01:33 UTC GbhackersFeeds.Feedburner 87% similarity 67.5
Share:

Article Content

Browse articles
ThreatCluster

A malicious browser extension named 'Google Notes' targets cryptocurrency users by swapping wallet addresses during transactions. This clipper malware is delivered through unsigned installers on Chromium-based browsers, making detection difficult. The extension masquerades as a note-taking tool while monitoring and altering copied wallet addresses. It operates by requesting extensive permissions, including access to all websites and the clipboard, which are atypical for such applications. McAfee researchers identified the extension, which has a global impact, particularly in India, where a higher concentration of affected users has been noted. The malware retrieves command server domains from public blockchain smart contracts, complicating detection efforts. Users are advised to verify wallet addresses, install extensions only from official sources, and maintain device protection.

Key Points: • The 'Google Notes' extension swaps cryptocurrency wallet addresses during transactions. • It is delivered via unsigned installers and operates on Chromium-based browsers. • Users are advised to verify wallet addresses and only install extensions from official sources.

ThreatCluster AI

Timeline

2026-07-01
Malicious extension identified
'Google Notes' extension identified by McAfee researchers as a clipper malware targeting crypto users.
Feeds.Feedburner
2026-07-01
Global spread reported
McAfee telemetry indicates a global spread of the malware, with a higher concentration in India.
Gbhackers

Community

Browse all →