EXECUTIVE SUMMARY
A malicious Chrome extension secretly creates MEXC API keys with withdrawal access and exfiltrates them via Telegram. Stolen keys enable persistent account takeover until revoked, even after the extension is removed.
- Active Region: Global
- Affected Sector: Cryptocurrency, Financial Services
- Affected Product: MEXC
- Severity: Critical
- Published Date: January 12, 2026
TECHNICAL DETAILS
- Target: MEXC user accounts accessed via Google Chrome browsers with the malicious extension installed. This includes any account that navigates to the API management interface while the extension is active and the session is authenticated.
- Root Cause: Abuse of trusted browser extension privileges to inject scripts into an authenticated MEXC web session. Insufficient detection and restriction of malicious behavior in Chrome Web Store extensions. Client-side UI manipulation allows high-risk API permissions to be concealed from the user during key creation.
- Prerequisite for Exploitation: The user must install the malicious Chrome……
