A cryptocurrency scam known as "ShieldGuard" has been dismantled after researchers identified it as a malicious browser extension designed to harvest sensitive user data.

The operation, uncovered by Okta Threat Intelligence and described in an advisory published on March 17, initially presented itself as a security tool aimed at protecting crypto wallets from phishing and harmful smart contracts.

ShieldGuard combined social media promotion, a browser extension listing and a token "airdrop" incentive model to attract users. Participants were encouraged to download the extension and promote it in exchange for future cryptocurrency rewards.

The project claimed its software could detect suspicious transactions before users approved them. However, analysis revealed a very different purpose.

Malware Capabilities Revealed

Okta found the extension was built to extract valuable information from users interacting with major crypto platforms, including Binance, Coinbase and MetaMask. It also targeted general browsing activity and Google services.

Key capabilities included:

• Harvesting wallet addresses across all visited websites

• Capturing full HTML content from crypto platforms after login

• Tracking users persistently across sessions

• Executing remote code via a command-and-control (C2) server

The malware also used obfuscation and a custom JavaScript interpreter to bypass Chrome security restrictions. This allowed attackers to deliver and execute code dynamically without triggering standard protections.

Read more on cryptocurrency scams: Crypto Hack Losses in First Half of 2025 Exceed 2024 Total

Further investigation showed the infrastructure enabled attackers to collect account balances, transaction histories and portfolio data. In some cases, users could be redirected to fake warning pages controlled by the attackers.

Links to Wider Campaign and Takedown

Evidence suggested the operators may be Russian-speaking, based on language indicators in the code. Researchers also identified links to another campaign known as "Radex," indicating a broader threat network.

Okta worked with industry partners to disrupt the operation by:

• Removing the extension from the Chrome Web Store

• Taking down associated domains

• Disabling backend infrastructure

• Blocking user sign-in functionality

These actions effectively severed communication between infected browsers and the attackers' servers. Users are advised to limit plugin use, verify sources and treat offers of free tokens with caution.