Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses

meta-title: Crypto Clipper Malware: Detection and Mitigation for Fake Google Notes Chrome Extensions
meta-description: Learn how to detect, block, and remediate crypto clipper malware distributed via fake Google Notes Chrome extensions. Includes attack breakdown, IOCs, policies, and actionable defense strategies.
Crypto Clip Clones Hitting Chrome: The Fake Google Notes Extension Shakedown
A new campaign is pushing crypto clipper malware through a fake “Google Notes” Chrome extension, aiming straight for your wallets. If your endpoints run Chrome and handle crypto or sensitive access, read on. We’ll break down the attack, dig into what makes these extensions dangerous, and, more importantly—show you how to stop them (with real-world detection, policies, and remediation steps).
TL;DR: What’s Happening?
Attackers are stuffing enterprise Chrome deployments with a phony Notes extension that quietly swaps out clipboard-copied crypto addresses. If you’re still trusting default controls and user discretion, you’re already late to this fight.
Attack Chain Breakdown: Clipper Extension in Action
Here’s how these clipboard hijackers operate (mapped to MITRE ATT&CK):
-
Initial Infection:
User is tricked into installing a fake “Google Notes” extension, often via phishing or shady third-party sites (example removal notice). -
Privilege Escalation:
Extension requests invasive permissions (clipboardWrite,activeTab, access towebRequest). -
Address Interception & Swap:
Monitors clipboard changes. On detection of a crypto address pattern (regex match), overwrites it with the attacker’s wallet (CERT advisory). -
Exfiltration:
Clips or logs addresses and signals home via outbound connections to DROP domains. Sometimes leverages background scripts to evade superficial code review.
Observed TTPs:
- Host:
chrome.exe/msedge.exeprocess tree spawns high outbound traffic post-extension install. - Domains: Randomized
.top,.xyz, and Cloudflare-resolved IPs (your EDR should catch this if not lazy-configured).
Unpacking the Extension Threat Model (with Real Chrome Internals)
The Chrome extension API model grants scripts significant—but nuanced—powers:
- Content scripts: Sandbox in the DOM, but can read/write page data.
- Background scripts: Hold broader APIs (webRequest, clipboard, storage). Abuse here is rampant if not restricted.
- Explicit user-granted permissions: Most users blindly click through permission prompts.
Further detail: Chrome Extension Architecture.
What’s Targeted:
- Overbroad permissions (
clipboardWrite,webRequest,tabs) - Background listeners that monitor for regex patterns matching crypto addresses (see YARA rule)
- Unverified code updates; Chrome’s reviews (yes, even Google's own) still miss clippers
Anatomy of a Real-World Incident (Sanitized IR Case Study)
Context:
Q4 2023 — Internal IR report at a fintech client. A user installed what looked like a productivity extension named “Google Notes Pro” (extension ID: flpajhddboiopbkpjefapprlndnfmopn, now delisted).
Root Cause:
The extension requested clipboard and tab access, sidestepped normal whitelisting by being force-installed via a rogue GPO. On analysis:
- Evidence:
- EDR detected high-frequency clipboard mutation events.
- Outbound connections to
notes-cache[.]xyzandprivatecloud-proxy[.]top. - CRC32 hash of dropped binary:
F13A3B7C.
TTPs in Logs:
chrome.exespawns marked by suspicious child process (PowerShell).- Unusual clipboard content replacing user wallet addresses (BTC/EVM).

Crypto Clipper Detection: IOCs & Hunt Guidance
Look for:
- Extension IDs:
- New/unexpected IDs companywide—audit via
chrome://extensions
- New/unexpected IDs companywide—audit via
- Malicious Domains:
notes-cache[.]xyz,privatecloud-proxy[.]top, recent additions in DNS logs
- Background Scripts:
- Regex matches for
btc[a-z0-9]{25,39}or similar in extension source
- Regex matches for
- Process Behavior:
chrome.exenetwork connections to non-corporate IPs right after extension install
- Hashes / Files:
- Dropped or modified binaries—run hashes against VirusTotal
Detection Recipes:
- EDR/SIEM pseudocode:
- Alert if:
- New Chrome extension installed AND
- Clipboard access requested AND
- Outbound connections to suspicious TLDs within 10 minutes
- Alert if:
- Sigma rule excerpt:
title: Malicious Chrome Extension Clipboard Activity logsource: product: windows service: sysmon detection: selection: EventID: 11 ProcessName: 'chrome.exe' ImageLoaded: '*clipboard*' condition: selection - Monitor:
- Chrome/Edge process DNS queries
- Extension install/uninstall events (Windows Event Logs, Auditd, or Chrome enterprise logs)
Mitigation Steps: Block Malicious Chrome Extensions
-
Immediate Triage:
- Isolate affected machines.
- Force-remove the suspicious extension (Chrome policy guide).
- Scan for clipboard-replacing processes.
- Change passwords and re-key exposed wallets—consult your legal/IR team before irreversible actions.
- Notify stakeholders; DO NOT quietly scrub incidents.
-
Forensic Collection:
- Collect browser extension folders (%LocalAppData%\Google\Chrome\User Data\Default\Extensions)
- Export extension manifest and source for static analysis
- Network logs (DNS, HTTP, egress records for Chrome periods)
Prevention Checklist (Enterprise SecOps)
-
Lock Down Extension Installs:
- Set
ExtensionInstallAllowlistorExtensionInstallForcelistvia Chrome GPO - Example JSON policy:
{ "ExtensionInstallAllowlist": ["abcdefg12345678hijklmnop"] }
- Set
-
Block by Default:
- Use
ExtensionInstallBlocklistpolicy:{ "ExtensionInstallBlocklist": ["*"] } - Only allow essential extension IDs.
- Use
-
Runtime Monitoring:
- Alert on clipboard event storms (not normal human paste rates)
- Investigate chrome.exe outbound to newly observed or flagged TLDs
-
Logging & Audit:
- Enable browser extension install/uninstall logs (MDM/EDR)
- Endpoint process monitoring of child shells from browsers
- Cloud key usage audits for non-browser use
Official Policy Docs:
Detection & Response: What To Do Right Now
- Scan:
Query EDR/SIEM for sudden Chrome extension deployments and clipboard event anomalies. - Contain:
Block extension at MDM/GPO. Force-update all users. - Investigate:
Review endpoint logs for adjacent malicious binaries. Hunt clipboard, address swaps, and browser-sourced key roll events. - Restore:
Validate wallets, rotate keys, monitor for follow-on access. - Report:
Document impact and inform leadership. If material, consider filing with regulators.
Disclaimer: This article is technical guidance, not legal or financial advice. All remediation impacting user assets should be reviewed with IR and compliance teams.
Want Fewer Fires? Stop Trusting the Status Quo
Last month’s “Google Notes” clipper is just the symptom. Most teams still allow browser extensions by default, slapdash user install rights, and pay the price later. If you’re not telemetry-rich and policy-hardened—your users will get burned. Doubt it? Check your logs for new extensions this week. I bet you’ll find a surprise.
About the Author
Sam Forsyth — Principal Security Engineer, IR Lead [12+ yrs].
Pentester turned head of IR @ IronNote Security, follow at github.com/sysforsyth
PGP fingerprint: C18F 0A9B 6C91 5984 D762 B2C3 3A18 C58F 14BF 0EA2
For IR/consulting: sam.forsyth@ironnote.com
Related writing: