- Trending
- Comments
- Latest
A legitimate Chrome extension trusted by thousands of crypto users was hijacked in February 2026 to distribute malware targeting MetaMask, Phantom, and Coinbase Wallet. The attackers embedded code that harvests seed phrases, wallet credentials, and browser data through fake update pop-ups—a technique security researchers call ClickFix.
The extension, QuickLens Search Screen with Google Lens, was removed from the Chrome Web Store after it was found distributing malware and conducting so-called ClickFix attacks.
This attack is seen as a social engineering technique that coaxes users into executing harmful code on their own machines.
Originally a tool enabling in-browser Google Lens searches, QuickLens had amassed an estimated 7,000 users worldwide before its compromise in February 2026, according to analysis by security outlet BleepingComputer.
Threat actors took advantage of a change in the extension’s ownership in early February, pushing a new version containing malicious scripts that requested elevated permissions and systematically weakened browser security controls.
“The extension stripped critical security headers… allowing arbitrary JavaScript injection on every page load.” BleepingComputer analysis said, summarizing how the malware operated.
Unlike traditional malware that exploits software vulnerabilities, ClickFix relies heavily on deception and user interaction.
When unsuspecting users encountered fake prompts such as bogus Google Update pop-ups, the technique manipulated victims into copying and pasting attacker-supplied commands into their systems.
A joint report by cybersecurity researchers described how the compromised extension communicated with a command-and-control server to deliver malicious payloads.
This attack was targeted at a wide range of browser-based wallets, including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Solflare and others.
Stolen seed phrases and wallet credentials enabled attackers to drain funds and seize accounts.
“The ClickFix attack coerces users into executing attacker-supplied code under the pretense of a necessary browser update.” Threat analysis report on QuickLens campaign.
In addition to cryptographic key theft, the malware also scraped Gmail inboxes, logged sensitive form data, and harvested other credentials stored in the browser.
Security experts warn that the QuickLens incident is part of a growing trend of supply chain attacks targeting seemingly benign browser extensions and tools.
Because extensions run with high privileges in users’ browsers, they are attractive vectors for attackers aiming to bypass endpoint protections.
Recent threat reports have flagged similar social engineering techniques, including other ClickFix variants that manipulate fake CAPTCHA prompts and copy-paste operations to infect devices with credential stealers and crypto-targeting malware.
Microsoft’s threat intelligence teams have been tracking ClickFix and related campaigns since at least 2024, noting their expansion beyond crypto into broader enterprise and consumer environments.
Likewise, cybersecurity firm Unit42 documented the technique’s impact on sectors ranging from manufacturing and retail to government and energy.
Affected users are urged to immediately uninstall the QuickLens extension, run comprehensive malware scans, and reset passwords for any accounts accessed through the browser.
Experts also recommend transferring any remaining crypto holdings to new wallets not associated with the compromised environment.
Because the threat shows weaknesses in extension vetting and update mechanisms, security professionals advise limiting installations to essential, verified extensions, and regularly auditing permissions to detect suspicious activity.
As the digital asset ecosystem continues to attract financially motivated attackers, this incident serves as a stark reminder of the need for vigilance and layered security practices among crypto investors and general internet users alike.
Copyright © 2025 - The Bit Gazette.
