Fake Ledger Live Chrome Extension Stole 1.4M XRP, Researchers Claim

Published at: March 25, 2020

A fraudulent Google Chrome extension has allegedly stolen as much 1.4 million XRP from users this month alone.

In a series of tweets published on March 24, the research team “xrplorer forensics” claimed that fake Ledger Live extensions are being used to collect user backup passphrases:

“They are advertised in Google searches and use Google Docs for collecting data. Accounts are being emptied and we have seen more than 200K XRP being stolen the past month alone.”

Revising this initial figure, xrplorer forensics later amended its estimate to “close to 1.4M.”

The fraudulent extension is still available on Google Store

According to the researchers, most of the stolen XRP appears to still be held in accounts, with a proportion cashed out via the crypto exchange HitBTC.

Sharing a screenshot of a post request from the alleged scam, xrplorer forensics warned the community against downloading tools for their hardware wallets from any developer other than the vendor directly — in this case, French crypto hardware wallet manufacturer, Ledger. 

Screenshot of the alleged Ledger Live XRP phishing scheme. Source: @xrpforensics

As of press time, two "Ledger Live" extensions appear on the Google store for the Chrome browser, both of which include multiple user reviews that appear to corroborate xrplorer forensics’ warnings against the scam.

Exchanges should be on the alert

In a series of parallel tweets between March 20 and March 25, xrplorer forensics claimed that close to 300 million XRP currently residing in XRP accounts is flagged as fraudulent.

The vast majority of it, they claim, comes from the PlusToken exit scam. 13 million XRP is, in their estimation, derived from other thefts and scams.

In a tweet today addressed to crypto exchange bithunter.io, the researchers asked why AML (anti-money-laundering) alerts were not observed for a series of large and allegedly suspicious transactions. They contend that one-third of all XRP bithunter has received is from suspect accounts on their advisory list.

As of March 20, the researchers said they had been noticing a “consolidation of funds from various scams happening right now,” appealing to exchanges to stay alert to the nature of incoming payments.

Repeat warnings

At the start of this month, Ledger had itself cautioned its users against the fake Ledger Live extension — first discovered by Harry Denley, director of security at blockchain interface platform MyCrypto. Denley, like xrplorer forensics, had identified that the fake extension was being propagated by a GoogleAds campaign.

Tags
Related Posts
New Email Extortion Scam Targets Google’s AdSense, Demands Bitcoin
A new extortion scam targeting website owners serving banner ads through Google's AdSense program has begun circulating the Internet. The malicious scheme demands Bitcoin (BTC) in exchange for preventing an attack, which would purportedly lead to the users’ AdSense account suspension. The email-based extortion scheme was reported by security news and investigation blog KrebsOnSecurity, on Feb. 17. The blog post detailed that some site owners received a message as their site had been spotted by the malicious program as one seeking revenue from publishing an ad. The message ostensibly read: “Very soon the warning notice from above will appear at …
Bitcoin / Feb. 17, 2020
Latvian regulators warn public about cryptocurrency fraud
Latvia's Financial and Capital Market Commission has identified suspect transactions and attempted fraud in the domestic cryptocurrency space. In an official warning published on Monday, the FCMC urged investors to "be particularly vigilant, as cryptocurrencies operate in an infrastructure that is currently characterized by lower regulation than in the financial and capital markets." Within Latvia, the issuance and circulation of cryptocurrencies are mostly unregulated, with exceptions for certain types of investment services and contracts involving crypto that require a license from the FCMC. The regulator has shared several details of the "signs of fraud" it has identified within the domestic …
Regulation / Oct. 19, 2020
Crypto Scammers Turn Toward Terrorism With a Japanese Bomb Threat
Crypto terrorists threatened to bomb a government office on the Japanese island of Hokkaido. They told authorities that they would only disable the alleged explosive device if their crypto ransom was paid. According to FNN, the terrorists sent the Numata Town Hall an email stating they had installed a bomb in a women’s second-floor toilet. They claimed that as long as officials met their payment demands before 03:00 UTC on June 29, the bomb would not be detonated. However, this appears to have been a fake threat. The deadline set by the criminals has passed and the hall remains intact …
Bitcoin / July 29, 2020
AMFEIX Threatens Users Who Share Coverage That Criticizes the Company
Last week Cointelegraph published a story about investors having difficulty getting their money back from a crypto fund called AMFEIX, which promised high-yield profits for investors who sent them Bitcoin (BTC). Our story described more than 500 pending withdrawals from users trying to get their money back, and AMFEIX’s unsatisfactory communication with those users. The company addressed its users via its official Telegram channel after the story was published, suggesting that the withdrawal delays were due to technical difficulties that had been an issue since May. It also stated that “members who show loyalty to AMFEIX will have priority” in …
Bitcoin / July 28, 2020
Exit Scam? Dublin-Based Exchange Bitsane Vanishes With Users’ Funds
Ireland-based cryptocurrency exchange Bitsane has apparently vanished, taking as many as 246,000 users’ crypto deposits with it. The news was reported by Forbes on June 27. Launched in 2016, Dublin-registered Bitsane LP was formerly listed as one of Ripple’s approved exchanges — a January 2018 CNBC article had also pitched the exchange as an option for investors seeking to trade XRP ahead of its listing on major platforms such as Coinbase. According to Forbes, user withdrawals on Bitsane began faltering in May of this year, with allegedly technical reasons cited as the reason for their temporary disabling. By June 17, …
Cryptocurrency Exchange / June 28, 2019