Okta Dismantles 'ShieldGuard' Crypto Scam: Malicious Chrome Extension Harvested Wallets and Executed Remote Code
Okta Threat Intelligence has taken down the 'ShieldGuard' crypto scam, a malicious Chrome extension that stole wallet addresses, captured HTML content from major crypto platforms, and executed remote code via a command-and-control server.
A cryptocurrency scam known as 'ShieldGuard' has been dismantled after researchers identified it as a malicious browser extension designed to harvest sensitive user data. The operation, uncovered by Okta Threat Intelligence and described in an advisory published on March 17, initially presented itself as a security tool aimed at protecting crypto wallets from phishing and harmful smart contracts.
ShieldGuard combined social media promotion, a browser extension listing, and a token 'airdrop' incentive model to attract users. Participants were encouraged to download the extension and promote it in exchange for future cryptocurrency rewards. The project claimed its software could detect suspicious transactions before users approved them. However, analysis revealed a very different purpose.
Okta found the extension was built to extract valuable information from users interacting with major crypto platforms, including Binance, Coinbase, and MetaMask. It also targeted general browsing activity and Google services. Key capabilities included harvesting wallet addresses across all visited websites, capturing full HTML content from crypto platforms after login, tracking users persistently across sessions, and executing remote code via a command-and-control (C2) server.
The malware also used obfuscation and a custom JavaScript interpreter to bypass Chrome security restrictions. This allowed attackers to deliver and execute code dynamically without triggering standard protections. Further investigation showed the infrastructure enabled attackers to collect account balances, transaction histories, and portfolio data. In some cases, users could be redirected to fake warning pages controlled by the attackers.
Evidence suggested the operators may be Russian-speaking, based on language indicators in the code. Researchers also identified links to another campaign known as 'Radex,' indicating a broader threat network. Okta worked with industry partners to disrupt the operation by removing the extension from the Chrome Web Store, taking down associated domains, disabling backend infrastructure, and blocking user sign-in functionality.
These actions effectively severed communication between infected browsers and the attackers' servers. Users are advised to limit plugin use, verify sources, and treat offers of free tokens with caution. The takedown highlights the evolving sophistication of crypto scams that combine social engineering with technical obfuscation to bypass browser security measures.