Hello
I just got scammed for 200 bucks by trying to withdraw from exchange 1 (binance) and deposit to exchange 2 (MEXC). This is NOT your regular clipboard hijacker, the JS script did the following for me:
- When you copy deposit address from exchange 2 to withdrawal field in exchange 1, the address doesn't immediately change visibly, it gets swapped with scam address DURING confirmation, there's NO way to see it coming since it happens backend via script
- If you try to deposit (instead of withdraw) on Binance, the address is VISIBLY changed to the scammer address. The deposit address on MEXC didn't change, it was legit
- When pasting the deposit address of exchange 2 into the corresponding blockchain explorer, the result will be the scammers address. This can make you confused EVEN if you know what you are doing
- When you search for the scammer address on blockchain explorer, it will crash the site
Now, I didn't figure out where this Google sheets thing came from because I pirate a lot but I did figure out how it got loaded.
I found this because I deleted the "Extension" folder which had all the malicious stuff in it and I kept getting a message saying "failed to load extension" whenever I would start Brave.
I searched on YT how to fix this, most videos recommended deleteing/renaming the BraveSoftware folder under "%Appdata%\Local\BraveSoftware".
After I did this, I still kept getting the error message so it didn't make sense anymore. This is when I found this:
If you right click on the Chrome (Brave in my case) shortcut, click properties, you will find this:
"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --load-extension="C:\Users\x\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extension\jeelboaldqeqfqemlljamankmbnoefre\4.3.6._0"
Considering the malicious extensions stem from my Brave shortcut, I knew it was impossible that I downloaded any extensions and I am almost certain it stems from a torrent.
My download history of my browser etc couldn't be it because it was never an executable or a script. So all that's left is my torrent history:
https://ibb.co/z6YJzNXConsidering most of my downloads on this list are movies or series, we can safely assume they aren't the culprit. The torrent from Vegas Pro, C4D and V-Ray ALL share the same crack with same icons but different file sizes:
https://ibb.co/S7DV2jmThat's all I have for now, I am kinda done with this, I won't look into it any further. It hurts to think about this even thought the money isn't really a big loss, I'm just disappointed and guilty with myself and I want to forget this ASAP.
If anyone has downloaded anything from this list during july, be kind and reply so that others can avoid getting scammed like this as well.
EDIT: I forgot to add, I ran the crack exe's from those 3 torrents in sandboxie and it didn't show anything but I mean whats the point of that, if someone can engineer shit like this then he will have absolutely no problem to implement anti-sandbox features into his cracks.