Chrome malware targets cryptocurrency, spreads through Facebook’s Messenger

A phishing scam via Facebook Messenger has led to the spread of "FacexWorm."
( Flickr user <a href="">Christoph Scholz</a>

Researchers with cybersecurity firm Trend Micro have uncovered a malicious extension in Google’s Chrome web browser that uses a multitude of methods to steal and mine cryptocurrency from infected users.

The malware, which Trend Micro calls “FacexWorm”, makes its way onto a victim’s browser via social engineering tactics conducted through Facebook Messenger. A target would receive a link leading to a fake YouTube page that would prompt the user to install an extension in order to play the video. Once the extension is installed, it’s programmed to hijack users’ Facebook accounts and spread the link throughout their friends list.

FacexWorm appears to be a Swiss Army knife of cryptocurrency-oriented malware. According to Trend Micro, the malicious extension has various capabilities:

  • If an infected user tries logs into Google, MyMonero or Coinhive, FacexWorm will intercept the credentials.
  • When a victim tries to go to a specified set of cryptocurrency trading platforms, they get redirected to a scam site that requests a small amount of Ether, ostensibly for verification purposes.
  • If FacexWorm detects that a user is on a cryptocurrency transaction page, the extension replaces the wallet address entered by the user with another one from the attacker. Trend Micro says currencies targeted include bitcoin, Bitcoin Gold, Bitcoin Cash, Dash, Ethereum, Ethereum Classic, Ripple, Litecoin, Zcash and Monero.
  • Trying to go to certain websites will redirect a victim to a referral link that rewards the attacker.
  • And, of course, FacexWorm has a cryptojacking component, using the victim’s processor to mine for cryptocurrency.

If an affected user appears to be trying to remove the malicious plugin, it has ways of stopping them, Trend Micro says. If a user tries opening Chrome’s extension management page, the malware will simply close the tab.


FacexWorm reportedly first surfaced last year. But it appears to be adware-oriented in its first iteration and hasn’t been very active until Trend Micro noticed it last month.

Trend Micro says it’s only discovered one instance in which FacexWorm compromised a bitcoin transaction, according to the attacker’s digital wallet address, but that that there’s no way to tell for sure how much the attackers have actually profited.

The attacker is persistently trying to upload more FacexWorm-infected extensions to the Chrome Web Store, the researchers say, but Google is proactively removing them. Trend Micro says Facebook, with which it has a partnership, has automated measures that detect the bad links and block their spread.

Latest Podcasts