HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Silent Swap Crypto‑Clipper Hijacks Fake Google Notes Extension to Steal Wallet Addresses

Researchers uncovered the Silent Swap campaign, a malicious browser extension that masquerades as a Google Notes add‑on and silently replaces cryptocurrency wallet addresses during transactions. The incident highlights the need for robust vendor‑risk controls and continuous monitoring to meet SOC 2 audit requirements.

LiveThreat™ Intelligence · 📅 June 30, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
2 recommended
📰
Source
thehackernews.com

Silent Swap Crypto‑Clipper Hijacks Fake Google Notes Extension to Steal Wallet Addresses

What Happened — Researchers identified a malicious browser‑extension campaign dubbed “Silent Swap” that masquerades as a Google Notes add‑on. The unsigned installer (available in .NET and Golang builds) replaces cryptocurrency wallet addresses on‑the‑fly, diverting funds to attacker‑controlled wallets.

Why It Matters for Compliance & Audit Readiness

  • The attack exploits a third‑party software supply‑chain gap—exactly the type of vendor‑risk scenario SOC 2 CC 1.1 (Vendor Management) is designed to identify, monitor, and evidence.
  • Continuous monitoring of installed extensions and third‑party code provides audit‑ready proof that your organization performed due‑diligence and mitigated the risk before a loss occurred.

Who Is Affected — Primarily cryptocurrency users and platforms that allow browser‑based wallet interactions; broadly impacts fintech, crypto‑exchange services, and any organization that permits employee use of browser extensions for financial workflows.

Recommended Actions

  • Inventory all browser extensions across corporate devices and map them to your vendor‑risk register.
  • Enforce a policy that only signed, vetted extensions may be installed; integrate continuous monitoring tools that flag unsigned or newly‑added add‑ons.
  • Document the review process and retain evidence (screenshots, logs) to satisfy SOC 2 audit requirements for vendor‑management controls.

Technical Notes — The Silent Swap payload is delivered via unsigned installers written in .NET or Golang. Once installed, it hooks the browser’s DOM to replace any detected wallet address with an attacker‑controlled address before the transaction is signed. No CVE is associated; the vector is a supply‑chain abuse of a trusted‑looking extension. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/06/silent-swap-crypto-clipper-uses-fake.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →