Silent Swap Crypto‑Clipper Hijacks Fake Google Notes Extension to Steal Wallet Addresses
What Happened — Researchers identified a malicious browser‑extension campaign dubbed “Silent Swap” that masquerades as a Google Notes add‑on. The unsigned installer (available in .NET and Golang builds) replaces cryptocurrency wallet addresses on‑the‑fly, diverting funds to attacker‑controlled wallets.
Why It Matters for Compliance & Audit Readiness
- The attack exploits a third‑party software supply‑chain gap—exactly the type of vendor‑risk scenario SOC 2 CC 1.1 (Vendor Management) is designed to identify, monitor, and evidence.
- Continuous monitoring of installed extensions and third‑party code provides audit‑ready proof that your organization performed due‑diligence and mitigated the risk before a loss occurred.
Who Is Affected — Primarily cryptocurrency users and platforms that allow browser‑based wallet interactions; broadly impacts fintech, crypto‑exchange services, and any organization that permits employee use of browser extensions for financial workflows.
Recommended Actions
- Inventory all browser extensions across corporate devices and map them to your vendor‑risk register.
- Enforce a policy that only signed, vetted extensions may be installed; integrate continuous monitoring tools that flag unsigned or newly‑added add‑ons.
- Document the review process and retain evidence (screenshots, logs) to satisfy SOC 2 audit requirements for vendor‑management controls.
Technical Notes — The Silent Swap payload is delivered via unsigned installers written in .NET or Golang. Once installed, it hooks the browser’s DOM to replace any detected wallet address with an attacker‑controlled address before the transaction is signed. No CVE is associated; the vector is a supply‑chain abuse of a trusted‑looking extension. Source: The Hacker News