Topic: Fake Google Sheets Extension - Scammed | Last Update! (Read 617 times)

 must say you're quite lucky and very attentive to details. Imagine if you weren't observant; you could have lost even more money. To be honest, I don't think the extension was the sole reason for this issue. Most extensions usually require authorization before they can run in your browser, like Chrome or others. I'd like to know, did you ever give authorization to the Google Sheets extension? Or are you suggesting that it gained permission without your consent? If it's the latter, it's clear that any extension that doesn't ask for your permission should be avoided, as it seems to be a scam extension. This is a serious matter, as I also have several extensions on my device, some of which I downloaded from websites I don't fully trust. I think I'll go back and check those extensions to be on the safe side.

Trust me, with time, you eventually get used to It.
I will speak for myself, I am not a nerd and Linux gave me some hard time for the first few weeks, but I got used to it after a while. When I am into transactions and trading, I often use it as compared to my Windows 11. Everyone always starts from somewhere.

The only downside is that there are some platforms that just have Windows and macOS app support and no Linux, but this is minimal

I've only used Ubuntu once, quite a few years ago, and it's a completely different environment that I couldn't get used to. However, they're definitely safer and ideal for such applications, which makes me consider it, especially now that I've installed a second HDD, one of which could be Windows and the other Ubuntu. It'll only be isolated for the wallet, which would make it a lot safer than it being on a Windows environment that's been used at the same time.
Antiviruses can be bypassed when it's a new type of malware or virus. After user reports, they update their software to include such malicious attempts. Back then, there wasn't a single mention similar to my case, so I guess I was probably one of their first victims. Reporting to the authorities wouldn't change a thing; I had no details other than a wallet's address, and while the amount I was scammed was petty for them to even bother, they'd laugh at me if I reported that my 25 XRP coins, then worth about $10, were stolen due to a fake extension.

Antiviruses is easily bypassed if the scammer/hacker is good enough at creating a program not to mention they most likely hitch these programs on legitimate programs that's downloaded illegally. Trojans work that way and they install themselves without you noticing them.

Hopefully OP reported this crime at the least to the cybercrime division of OP's country because hackers aren't scared because no one reports them even if it's left unchecked at the least they will have a record of this incident so when more people report similar situations, they can just act on it. I do download movies and animes in my phone so these scares me big time but this helped me remember to always double-check the address that I will transfer my funds.

If you can, install Linux OS as well on your PC and use it only to install wallets, performing transactions and maybe trading.

There are fewer chances of picking up malware via Linux unless if one is way too careless. I have mine and I have never ever felt unsafe like I do when using Windows even though I have not many random apps installed in it.
Antivirus software programs are just bullshit and can give you a false sense of security.

No, the address is not changing when copy-pasting. The extension was displaying the hacker's address instead of the right deposit address; thus, you're practically handing over your coins to the hackers. The extension though wasn't probably installed for a long time, because its script was slowing down tabs and making them crash.

I'm going through a fresh Windows installation as we speak, even though my computer looks safe so far, as no antivirus can detect any kind of malware right now. I had used the Brave browser in the past; I don't know if it also had the extension installed, but it didn't suit me. It's not the browser's fault; it's just that I find Chrome more convenient due to the synchronizations through my Google account, which sync all the necessary data I'm using daily. On top of that, I use their services, such as Google Drive, Gmail, Photos, etc., on a daily basis.

Before the automation of Google services and the Chrome browser, I used to use Firefox and preferred it as a browser overall; it was also a lot lighter than Chrome.

It will only be possible if the two browsers are sync using the same google account/email.

To OP, have you tried other browsers instead of chrome? I'm not a fan of it actually, Firefox is much better for me Check if the address is changing too after pasting it on the address textbox.
.

To OP, if you really think that the extension was installed through other unknown app/s without your AV detecting even after a full scan. I will also suggest to reformat or install a new OS to your device. It might be troublesome and time-consuming, but it's your last choice to get rid of the malware.

There is something weird about Microsoft Edge that I noticed. It seems to automatically install extensions that are already installed on Chrome. I saw this on my Windows PC

By the way, there are some software apps that maliciously install browser extensions and even change the default search engine settings of your browser. So it's a possibility that at one point you installed an app and without properly reviewing the additional add-ons it would install, you just kept clicking OK or Next on the software installer dialogue box.

There is supposed to be a pop-up warning in Google Chrome that tells you when an extension was installed (or prompts you whether you want to install an extension in the case of Chrome Web Store). Unless Developer Mode is enabled in chrome://extensions, in which case there will be no prompt at all when you use the "load unpacked" button, so you should probably disable that unless you absolutely need that feature.

That also crossed my mind, but back then, I couldn't bring myself to rewind if I possibly did such a thing. However, it would make sense, as I probably wouldn't suspect a Google Sheets extension. I would like to know in order to prevent something similar in the future. As far as I know, no torrents were downloaded anywhere close to the date the extension appeared. I have no evidence that they are to blame, and to be honest, I do doubt to this day that it was the cause, as it was two torrents for Adobe software that were supposedly by a so-called reputable torrent source.

However, I never use Microsoft Edge. I get that I could possibly accept a pop-up without realizing it, but what about Edge? I've never used it in the past, and up to this day, I hadn't realized that it was also installed there, which means that the infected files were still on my computer but were affecting a different application.

I just saw this thread but damn. I could only bet that this extension came from your browser activity, it could be from ads, and was accepted without you remembering, or you are busy downloading other things then this one pops up, since installing an extension will have a browser pop up notification, thats the standard for security purposes in browsers, it could not be installed from without it.

This was the worst part; no antivirus software or VirusTotal was able to detect the malware when I fell victim to the extension. I couldn't believe my eyes when I saw it, and I probably wouldn't have suspected it myself if Binance's customer support agent hadn't mentioned checking for possible malware. It didn't make any sense, and nothing was able to detect it on my computer if I hadn't seen it myself and realized it. It's delightful that at least now, a year later, it's fully recognized by even free software such as Malwarebytes. I also had the Brave browser installed, which swegmen1 was using when he was scammed, but I didn't think to check if it had the extension installed on it.
I just rechecked the quarantine history, and the majority of the malware found was involved with the fake extension that was left on Microsoft Edge. Fortunately, it seems to be gone for good. I'll do a clean installation of Windows soon. The most frustrating matter I'm facing is that I could never track what caused the extension to install—was it a torrent or another kind of software? I guess we'll never learn.
Malwarebytes caught some stuff on the registry too, but I've got no clue what it is about. My wallet has no transactions on it, and I intend to keep it that way. I'm generally a little paranoid after this incident and will be extra careful if I make any transactions. So far, after I manually deleted the extension files a year ago, I've faced no issues, nor have I suspected that something was off.

I suggest that you don't do some large crypto transactions before making sure that your computer is really clean. You can do light activities, and try to connect to the internet, will the extension contact the server to try to reinstall without permission.

As a tip, in the past I was also used to handling the laptops of some of my office employees who were infected with viruses. Besides relying on antivirus, I do manual cleaning especially on registry configuration.

Thank you all for updating the topic, and the fake extension of browsers is dangerous, and the hacker can access the important data saved in the browser and steal it; frankly, I found a safe solution for you is to make a new copy of Windows or Linux and remove your current version of Windows completely, because your computer may also be infected. Although antivirus software may be effective, it may not be able to detect all encrypted malwares.

Really, 111 malwares are very scary.

Torrent files are risky, illegal, and contain malwares. I do not advise you, after making a new Windows for your computer, to use the torrent files that you downloaded before and stored on your computer. I think it is the main reason for installing this fake extension on your computer without your knowledge.

Yes, updating the system continuously is important, also downloading programs from their official websites only.

This part is what scares me the most, as the level that this virus programmers have gone up to not being detected by any anti virus either paid or free one is what scares me the most, as one will not be able to detect when they are actually free from virus and when they are not, when we need to worry about something or not, especially when you are making use of a same PC which you use for crypto related transaction, the risk is very high as most of the virus is designed to target crypto related transaction just as the case of swegmen1 which I never even still don't know if such was ever going to be possible as what I know of is clipboard virus and I have learned to reconfirm my address every time i want to execute a transaction in other to avoid falling into the hackers hands.

It's good you bumped this thread, as I have been able to grab a few, if not up to two, types of viruses and how they attack, which ordinarily I was not aware of.

Excuse me for grave digging such an old thread, but I figured it would be best to revive it rather than come up with a new thread since the update is referring to the exact incident.

I haven't had access to my computer for the past few months due to personal reasons that aren't the main subject; thus, I had my laptop completely abandoned and left in a state of despair. I strongly remember that if I uninstalled the extension through Chrome's extension manager, it would simply reappear the next time Chrome was launched. Thus, I resorted to finding the corresponding files in the data folder and deleting them myself. This worked, although Chrome appeared to still attempt to launch the now-missing extension, as seen in the following photo. However, that didn't bother me too much since the extension was practically gone. Keep in mind that no kind of antivirus software was able to spot anything unusual, even if I selected Chrome's folder directly.

Today I decided to do a long-needed cleanup on the computer after more than half a year of being inactive. I started with a malware scan from Malwarebytes, and to my surprise, it still detected the fake extension! However, the extension was found on Microsoft Edge, something that completely slipped undetected because I generally use Chrome and never spotted it on Edge.


It also certainly found malware in Chrome's folders because, after the scan was complete and the threat was wiped, the message on the first screenshot stopped appearing, meaning that it wasn't trying to launch it anymore.

So, this is hopefully the last update on this thread, and the reason for me to update it is due to it no longer being undetected by antiviruses, as I was pleasantly surprised by Malwarebytes, which caught all threats. Up to this day, I still haven't found any clues on how this extension got installed, nor can I suspect any torrents that I have used in the past. Thus, keep your software and Windows updated at all times, as security breaches are becoming more and more dangerous.

I'm sorry for your loss. Do you have any idea how the extension got installed in the first place? In my case, I found that it had been running for quite a while and couldn't possibly trace back to who was responsible for its installation. I had a few guesses regarding some torrented software, but the creation date of the extension's folder doesn't line up with the download date; thus, I can't be sure that the torrents were to blame. Although I will refrain from downloading pirated software from now on.

You can spend thousands of dollars to hire investigators for a chance they might be able to piece something out. Emphasis on "for a chance"... as you can guess, it's not advisable in most cases.

The most attainable thing you could do right now is to take precautions so this never happens again and maybe monitor the transaction in the blockchain to see if your scammer is dumb enough to send your coins directly to an exchange [unlikely chance so keep your expectations low]. You could use block explorers like oxt.me which labels known exchange addresses.

I was a victim of this two days ago.
It changed my Binance bitcoin address to this address:
1bmL3m2Wrb4qzSyNnLU3ExEhWX8C7QeWK
I lost 0.00810000 BTC.
BTC is still unspent.
https[Suspicious link removed]hWX8C7QeWK

Is it possible to get the real ID/team of this extension maker?

@swegmen1, thank you for the warning and the detailed description, and I hope that the $200 is not something that meant too much to you in your life, so that it can be just one life lesson for you. If you can somehow (in the future) separate everything that belongs to entertainment (and it is risky) from anything related to cryptocurrencies, that would protect you from something like this happening to you again. Pirated content whether it's movies/music or software is very risky and you should find an alternative in a legal way to access such things.

I advise formatting the disk and a fresh installation of the OS to make sure that you have removed the infection.

I'm really sorry for your loss. Your case sounds way more tricky and way harder to predict since, from what I understood, you were shown the correct address at first but the script switched it at the final stages. $200 is not a huge amount, but not a petty one either. As much as torrenting is useful for obtaining software you need, I've come to terms with the fact that it's a huge risk when having cryptocurrencies stored on your computer, and that it's not worth it. One idea is to keep cryptocurrencies and transactions away from your main computer.

I see that you're a newbie and put some decent effort into your post. I hope you stick around in the forum. There's a lot to learn. Thank you for spending your time to inform others regarding such a serious malicious script.

Hello

I just got scammed for 200 bucks by trying to withdraw from exchange 1 (binance) and deposit to exchange 2 (MEXC). This is NOT your regular clipboard hijacker, the JS script did the following for me:

• When you copy deposit address from exchange 2 to withdrawal field in exchange 1, the address doesn't immediately change visibly, it gets swapped with scam address DURING confirmation, there's NO way to see it coming since it happens backend via script
• If you try to deposit (instead of withdraw) on Binance, the address is VISIBLY changed to the scammer address. The deposit address on MEXC didn't change, it was legit
• When pasting the deposit address of exchange 2 into the corresponding blockchain explorer, the result will be the scammers address. This can make you confused EVEN if you know what you are doing
• When you search for the scammer address on blockchain explorer, it will crash the site

Now, I didn't figure out where this Google sheets thing came from because I pirate a lot but I did figure out how it got loaded.
I found this because I deleted the "Extension" folder which had all the malicious stuff in it and I kept getting a message saying "failed to load extension" whenever I would start Brave.
I searched on YT how to fix this, most videos recommended deleteing/renaming the BraveSoftware folder under "%Appdata%\Local\BraveSoftware".
After I did this, I still kept getting the error message so it didn't make sense anymore. This is when I found this:


If you right click on the Chrome (Brave in my case) shortcut, click properties, you will find this:


Considering the malicious extensions stem from my Brave shortcut, I knew it was impossible that I downloaded any extensions and I am almost certain it stems from a torrent.
My download history of my browser etc couldn't be it because it was never an executable or a script. So all that's left is my torrent history:

https://ibb.co/z6YJzNX

Considering most of my downloads on this list are movies or series, we can safely assume they aren't the culprit. The torrent from Vegas Pro, C4D and V-Ray ALL share the same crack with same icons but different file sizes:

https://ibb.co/S7DV2jm

That's all I have for now, I am kinda done with this, I won't look into it any further. It hurts to think about this even thought the money isn't really a big loss, I'm just disappointed and guilty with myself and I want to forget this ASAP.
If anyone has downloaded anything from this list during july, be kind and reply so that others can avoid getting scammed like this as well.


EDIT: I forgot to add, I ran the crack exe's from those 3 torrents in sandboxie and it didn't show anything but I mean whats the point of that, if someone can engineer shit like this then he will have absolutely no problem to implement anti-sandbox features into his cracks.

Unfortunately, I don't have the necessary time available to back everything up and reinstall my OS, it's certainly the best option here, but I don't have the time for it. I've proceeded and deleted any extension files I've found, and will also remove any pirated software I've downloaded in the past few months.

The fake extension folder was created in 01/07/2022, so it's been in my computer for a while, there's a chance that I had downloaded something and is now deleted, but I'll be on the lookout in case it appears again.

Wouldn't you like to wipe out your machine and start with a clean slate? Because a quick search suggests that you're not the only one having this kind of problem. There's even a redditor with a similar issue in the past¹ and an article² about this kind of adware.

The only problem in the article is that they suggest you use 3rd party applications to remove the malicious files which could be usually removed from wiping out your entire machine and install your OS. Plus, make a habit of minimizing your browser extensions and uninstall those that aren't needed including software programs.

[1] https://www.reddit.com/r/techsupport/comments/qp9fc7/removing_fake_sheets_extension_from_chrome_and/
[2] https://www.myantispyware.com/2020/10/21/how-to-remove-fake-google-docs-extension-virus-removal-guide/

Hmmm. If I were you, I'd opt for a fresh OS installation since we don't know what slips thru AVs and our own eyes. Probably opt out on extensions in the sync settings as well, just to be extra sure.

You can try to compartmentalize if you're dabbling with potentially dangerous stuff like pirated softwares, keeping the data of malicious extensions, etc.

In the past, I have come across similar extensions, but they were never as malicious. They usually hijacked control of the internal search engine and opened some suspicious websites and pop-up windows. Even after removing and resetting all Chrome settings, they persistently returned to the browser.

I am not sure that such extensions can be reinstalled by themselves. It seems to me that there must be some kind of executable that instructs these annoying extensions to re-load themselves. There must be a process running quietly in the background on your system which is responsible. I recommend that you back up your data (such as passwords and bookmarks), completely remove the Google Chrome profile and user data folder, and perform a thorough adware and malware check of your system with Malwarebytes and an antivirus program. You can also manually check all programs and processes that start automatically after system startup to see if you notice anything suspicious.

New update!

The extension auto reinstalled itself, honestly, I don't understand what's causing its installation, but certainly it's not me. I haven't deleted its files yet, because they could possibly come in handy for other users and its declaration as a malicious extension. Could it be possible that one of them includes a script to install it without your permission?





The scammer's BTC address (https://www.blockchain.com/btc/address/16Adp6PaLTDqejGo4W4Yy8kzixgQVwFoEx)


Real BTC deposit address



Edit: Went to the extension's folder and started opening up each file, all folders feature the same files and are exact copies of each other. I honestly don't understand what's going on.



Edit 2: Okay, here's what I also found, there are two folders named "Extension" and "Extensions", the first one consists of several other folders containing the same fake Google Sheets extension, while the latter, has all the legit ones along with a fake one as well.

Malwarebytes Premium was present when the extension was installed, however, it did nothing to protect from it. My best guess is that it's a new type of thing going on. On the other hand, Opera might be less susceptible to such extensions, however, before it happened to me, I had only heard about the copy-pasting malware. Displaying a whole new address, though, is way out of the ordinary.
That's correct, Adobe Lightroom was downloaded after the extension's installation/creation. I can't recall if I had downloaded something else, and is now deleted. It's surprising that even though the extension was supposed to be disabled, it run perfectly fine.

OP mentioned that Adobe Lightroom was downloaded several days after the extension was created. It's unlikely that software is the culprit. But I would try to retrace all my steps days before the extension was created. Maybe OP was visiting some new websites or giving them certain permissions that might have installed that extension on his PC. If he downloaded a pirated app, chances are OP has done so in the past as well.

You are right about that. This Google support article confirms that:

However, the interesting part is that greyed out extensions should also be disabled because Google mentions that if you want to use a greyed out extension, you need to contact the developer and ask them to upload it in the Chrome Web Store. In OP's case, the extension was still working even when it was greyed out.

The OP activated Premium protection only after he discovered the malware, and I guess it's logical that MB couldn't even protect him from the infection after it happened. Of course, the question arises as to how well programs like MB and various AVs are able to detect this kind of malware and prevent it from infecting the system.

I did a little research and found that Opera browser is the first to develop some kind of protection against clipboard malware and I can say that it works. After you copy the Bitcoin address, a pop-up appears with a message that the address has been copied and protected. Perhaps we can expect a similar feature on other browsers as well.

https://www.bleepingcomputer.com/news/security/opera-browser-working-on-clipboard-anti-hijacking-feature/

I do not think this extension came from the official Google Chrome Web Store, that is probably why it was greyed out. OP said he installed some pirated software lately. In my experience, this is a very common way to get infected with malicious software and browser extensions.

Do not install programs from unofficial sources. They can give you more than you bargained for. 

Did you ever take a look at the extension setting page? If I'm not mistaken, on Chrome, you can see the Chrome Web Store page for every installed extension, maybe the fake extension information is listed over there. I tried to look it up but couldn't find any. If there is, the scam extension should be reported.

This is very alarming and we all thought that Malwarebytes is good at combatting clipboard malware I have Kaspersky and Avira here and checking my extensions so far there is none in my extensions like what you've discovered if you are just a user and you just rely on anti-virus you have this then how can you trust these anti-viruses, we have been like this because these anti-viruses promised to take care care of everything all we have to do is just upgrade tot heir premium plan.

Neither have I, it's frustrating. I could have never imagined that I'd have a malicious extension swapping coin addresses. I'll take a look through my downloads to see if I find anything suspicious.

I would, but Chrome is synchronizing everything through my Gmail account, something I find extremely convenient.

Coincidentally, I have Malwarebytes' premium trial for the past few days, and it didn't help.

I can't claim that having Malwarebytes Premium would have helped in your case, but I've been using it for years in combination with a respectable antivirus package and I don't remember the last time I had problems with viruses/malware. It is possible that this malware can still get past any protections, but it is possible that some premium protection would warn you about this problem and put that file in quarantine.

To begin with, try to change your browser, and then do not download any pirated content - because there is really no need for that, given that very cheap licenses for the most popular software can be found on the Digital goods board of our forum.

I haven't found any information online about this malicious extension, so it's likely that it's relatively new. I found some similar extensions that have been used to steal user's data and they are mostly spread through illegally obtained programs (from a pirated source). Maybe if you analyze the Adobe Lightroom package, or some other program you recently downloaded, you can find the source?

You could start by switching from using Chrome to Firefox browser or even better Firefox fork called Librewolf browser.
Next step you could take is switching from wiNd0ws to Linux os like Fedora or Debian, so you won't need to install any antivirus software that is mostly just security theater.
I would avoid installing many extensions and I would be careful installing anything on my computer especially pirated software, but risk would be much lower with Linux.

To be brutally honest, I haven't bothered with my computer's security too much. I simply installed Malwarebytes and never fiddled with it again. The issue is that I can't recall how I possibly installed such an extension. I recently downloaded Adobe Lightroom from a pirated source, but that was a few days after the extension was created, thus, it's not associated.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.

From what you wrote, it seems that you use certain security solutions, the only question is, do you have proactive protection when it comes to Malwarebytes and do you use any other AV besides Windows defender? There is no doubt that this malware somehow found a way to get into your computer, the only question is how?

I always rely on premium security software with an always updated OS and I don't download any suspicious files, but sometimes it seems that even that is not enough to protect against infection. From your example, maybe we can learn that we should check the extensions we have in the browser as often as possible, and that maybe we should avoid Chrome and use some other browsers like Firefox, which is much better when it comes to privacy anyway.

You have the whole community thanking you for not giving up and taking the time and effort to check your machine, if this was not caught by your anti-virus then everybody here is at risk if they are not checking the address, this is another scheme by hackers to steal coins, awareness is the key when transacting, you have to not only double check but triple check on addresses, we never know if we have this, even if we have these popular antiviruses.

Nope, it's not the well-known clipboard virus. It actually displayed the scammer's addresses instead of the actual ones. Binance's support agent was genuinely frustrated at first. This is before deleting the extension.



And this is after deleting it, displaying the address support indicated as theirs.

After this post, I immediately checked all my extensions and checked if there are extensions that are on it that I don't remember putting in my browser, everybody should know this, and riskier because they cannot be traced by anti-virus, if you haven't done an extensive review of your extensions you will not know this, because all this time we trust everything that comes from Google, I wonder is it really coming from Google, I'm sure its not.

Was this virus one of those clipboard viruses that changes the address you copy to the scammer's one? Or is this a new kind where you don't even see the real address on binance, only the scammer's ?

If it's the latter, holyshit how can someone actually protects himself from it? Since running an antivirus scan doesn't reveal anything.

My best guess is because it's not an actual functioning extension. A quick look at its main manifest.json file shows you what details it can present. If you click on any other extension, it opens up the extension or its settings (Metamask wallet opens wallet, Grammary opens up preferences etc.), the fake Google Sheets one didn't have an actual menu, thus, it doesn't have anything to open and appears grayed out.

Thank you for the warning OP. I would've never suspected the Google sheet extension to be the malware responsible for changing addresses.
btw, if an extension is grayed out doesn't that mean it's been disabled by the navigator?
This malware seems more dangerous even than the clipboard hijacker malware because it changes the actual address from source and therefore there is no way you would suspect it's been changed.

I would wipe out my computer's hard drive and reinstall the OS if I were you, though!

Damn! So my initial suspicion was correct. Yes, I think you were very lucky considering how small the amount was. For this reason, it is always a good idea to proceed each serious transaction with a smaller one to ensure that the funds will reach the intended destination.

Good detective work, by the way. It is too bad you could not figure out where you downloaded the extension to your browser. Who knows, there may even be different extensions infected with malware. Does anyone know why the extension name was greyed out?

This thread is a follow-up of the previous thread I created, regarding a lost XRP deposit. For those who haven't read it and have limited time, I'll summarize.

(https://bitcointalksearch.org/topic/ripple-deposit-never-received-5408926)

I tried depositing XRP from Kraken to Binance, my deposit was never credited to my account and got me frustrated, thinking I've done something wrong. After several users suggested, I contacted Binance, and they told me that this wasn't their XRP address and recommended me to install Binance's app on my phone. To my surprise, the address I had on my phone was different from the one in my computer. Same thing occurred if I tried depositing other coins, such as BTC or ETH. I was baffled, the support agent mentioned that it's probably a malware on my computer.

I started with antivirus scans using Windows Defender and Malwarebytes, however, both showed no results. A few users suggested that it could be an extension on Chrome, decided to check, but nothing looked suspicious at first.

Google Sheets, Zen Mate, Ublock, Grammarly etc… Nothing suspicious, right? Except the fact that I don't recall installing the Google Sheets extension, but didn't think much of it, since I use Google services a lot (Drive, Docs, Excel), but noticed that for some strange reason, the name was grayed out, but the other extensions weren't.

I deleted the extension and Binance is now showing the proper address. Upon further investigation and opening its source file, it has a Javascript code that switches coin addresses with the scammer's address. On top of that, whenever I searched the scammer's XRP or BTC address, the tab would crash.





The issue is that I don't recall installing something like this on my own, unless it popped up and accepted its installation without realizing it. The extension's folder was created on 23/07/2022, it's relatively new and can't remember if I downloaded any pirate software or what else.

This time I was extremely lucky, because a few days ago I was actually planning on moving my funds from Binance in an attempt to find a better APY. Chances are, that I would have lost my money.