Okta helps disrupt ShieldGuard crypto-stealing extension
Okta says it has disrupted a malicious Chrome browser extension called ShieldGuard after its Threat Intelligence team found it in the Chrome Web Store and traced a related scam campaign that drove thousands of users to a Telegram channel.
The extension posed as a cryptocurrency security product. Okta's analysis found it was designed to collect wallet addresses and account data from users of major crypto services, including Binance, Coinbase, MetaMask, Phantom, OpenSea and Uniswap. It also collected data from Google services users.
In a coordinated effort with Google, Cloudflare and domain registrars, Okta helped remove the extension from the Chrome Web Store and disrupt the infrastructure it used to communicate with infected browsers. The Telegram channel linked to the operation reached nearly 7,000 followers before the takedown.
Marketing funnel
ShieldGuard used a public website, a Chrome Web Store listing and a Telegram channel to appear legitimate. The operation also maintained an X profile, according to Okta. The website claimed the extension could detect suspicious transactions before a user signed a request.
The campaign relied on social engineering common in crypto fraud. Okta described a multi-level marketing approach that promised cryptocurrency "airdrops" for early adopters and additional rewards for referrals. Users were urged to install the extension and create an account through a claim portal.
The site also tried to ease concerns about wallet access, claiming the software would not need direct access to a user's crypto wallet. Okta found the extension requested broad browser permissions during installation, including the ability to "Read and change all your data on all websites."
Data collection
Okta's investigation found ShieldGuard could harvest wallet addresses from websites a victim visited and gather detailed information from specific crypto platforms. The extension extracted full page HTML after a user signed into Binance, Coinbase, OpenSea or Uniswap in a browser, researchers said.
This HTML collection could include account balances, portfolio data and transaction history. Okta also found the extension tracked users through persistent UUIDs across browsing sessions.
Okta said ShieldGuard could execute arbitrary code on devices running the extension. Researchers demonstrated this using a feature that, on command, blocked access to legitimate sites and replaced pages with fake security warnings.
Evasion methods
Okta described the extension as heavily obfuscated, complicating review and reverse engineering. It said the attackers built a custom JavaScript interpreter to bypass security restrictions in Chrome's Manifest V3 framework.
Instead of using restricted functions such as eval(), the extension fetched encoded scripts from a command-and-control server and executed them through its custom interpreter within web pages. Okta said this enabled remote code execution without triggering Chrome's latest protections and highlighted a gap in how the browser enforces its security model.
Okta analysed ShieldGuard in an isolated, containerised browser and found it contacted a command-and-control endpoint at shieldguards[.]net/scripts. The server then delivered scripts that discovered installed crypto wallets and extracted addresses using the EIP-6963 wallet discovery protocol.
Okta said the infrastructure delivered two main payloads. The first injected a wallet-address harvesting script into every website a victim visited. The second targeted higher-value visits to crypto exchange and decentralised finance sites, waiting five seconds before capturing full page HTML and sending it to shieldguards[.]net/snapshots.
Infrastructure links
Okta said the command-and-control server at shieldguards[.]net was proxied through Cloudflare. After the domain was removed from CDN services, Okta said it identified the origin server at Partner Hosting LTD, which it described as a bulletproof hosting provider.
The takedown also disabled sign-in functionality tied to the operation, according to Okta. Removing the shieldguards[.]net domain from its registrar disconnected existing installs from the command-and-control infrastructure, it added.
Okta said indicators suggested the threat actors may be Russian-speaking, citing a Russian error string-"Ошибка: не удалось определить домен"-and Cyrillic character support inside the custom JavaScript interpreter. Okta also reported links to another malicious campaign known as Radex, including an administrative email address and a related Chrome extension ID.
Security guidance
The incident highlights the risks posed by browser extensions, even when they appear in official stores. Okta advised users to treat offers of free crypto with scepticism and to limit the number of extensions installed on devices used for sensitive accounts.
Okta recommended restricting extension permissions, regularly reviewing installed extensions, and using a separate browser profile-or a clean browser-for crypto transactions with extensions disabled. It also advised using an offline hardware wallet, double-checking pasted addresses and using phishing-resistant multi-factor authentication.
For corporate environments, Okta recommended allowlisting to give security teams control over third-party code running in browsers used to access company resources. It also outlined using managed Chrome and device assurance policies to assess which extensions run at sign-in, with rules that deny access unless extensions are allowlisted.
"While legitimate sign-up promotions exist, scammers frequently use the promise of free crypto or high returns to create a false sense of urgency. If an offer looks too good to be true, it almost certainly is," Okta Threat Intelligence said.