Ohm Shah
Co-Founder at Wallet Guard
Partnership Director at Wallet Guard
⚠️ Chromium Based Crypto Stealer ⚠️
🎯 Targeting Web3 🧵
🥷 Code Named: Rilide 🥷

🔍 High Level Breakdown:

  • Browser extension which modifies web pages
  • Deployed to users via Google Ads/RATs
  • Captures login credentials & bypasses 2FA
  • Injects scripts to auto-process requests 👇

A Chromium based browser extension which masks itself as a legitimate app, in some instances Google Drive, automatically deploys malware upon installation.

Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges. - TrustWave

The extension is mainly distributed through malicious Google Ads/RATs.⬇️

Malicious extension on Edge

The malware monitors the browsing history of the user & automatically injects scripts on known cryptocurrency websites.

Once a known website is accessed, input fields are replaced in order to grab users 2FA codes & automatically process the attackers requests. ⬇️


When a withdrawal request is performed from an exchange, such as Binance, the receiving address is changed to the attackers address.

Verification codes are shown to the user which are injected automatically to authorize the attacker to swiftly gain access to the account. ⬇️


Scenarios like this reiterate the importance of proper security & device hygiene.

Although nothing is 100% secure, ensuring you are installing apps from legitimate sources is crucial.

To help protect your crypto assets be sure to grab Wallet Guard @

Sources //

Published on
September 5, 2023

Related Articles

All articles