The threat involves a malicious Chrome extension named 'MEXC API Automator' (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh) that targets users of the MEXC centralized cryptocurrency exchange, which operates in over 170 countries. The extension, published on September 1, 2025, and still available with 29 downloads, claims to simplify trading bot integration by automating API key creation. However, it programmatically creates new API keys with full permissions, including withdrawal rights, during an authenticated session when the user visits MEXC's API management page. It manipulates the UI to hide withdrawal permissions, deceiving users into believing these rights are disabled. Once keys are generated, the extension exfiltrates the Access Key and Secret Key via HTTPS POST requests to a hardcoded Telegram bot controlled by the attacker. This grants the attacker full control over the victim's MEXC account, enabling unauthorized trades and fund withdrawals. The attack exploits the authenticated browser session, eliminating the need for password theft or authentication bypass. The extension uses the Chrome Web Store for delivery, the MEXC web UI for execution, and Telegram for data exfiltration. The threat actor is linked to the developer handle 'jorjortan142' and associated Telegram and social media presence. The attack technique can be adapted to other exchanges or financial platforms issuing API tokens in-session, potentially increasing future risks. No known exploits in the wild have been reported yet, but the threat remains active as long as the API keys are valid.

For European organizations and individuals using MEXC, this threat poses a significant risk of financial loss through unauthorized trades and withdrawals. Compromise of API keys can lead to complete account takeover without triggering traditional authentication alerts. Organizations with employees trading on MEXC or managing corporate crypto assets via this platform could face direct financial theft and secondary impacts such as reputational damage and regulatory scrutiny. The stealthy UI manipulation increases the likelihood of prolonged undetected compromise. Given MEXC's global reach, European users are vulnerable, especially in countries with high cryptocurrency adoption or where MEXC has substantial market penetration. The threat could also facilitate laundering or unauthorized fund movements impacting compliance and AML controls. If attackers adapt this technique to other exchanges or DeFi platforms popular in Europe, the broader financial ecosystem could be at risk. The use of Telegram for exfiltration complicates attribution and response efforts.

1. Immediately uninstall the 'MEXC API Automator' Chrome extension and any other unverified or suspicious extensions from browsers used to access MEXC. 2. Revoke all existing API keys on MEXC accounts and generate new keys only after ensuring no malicious extensions are installed. 3. Educate users and employees about the risks of installing browser extensions from untrusted sources, emphasizing the dangers of extensions requesting broad permissions. 4. Implement endpoint security solutions capable of detecting and blocking malicious browser extensions or unusual API key creation activities. 5. Monitor MEXC account activity for unusual trades or withdrawals and set up alerts for API key creation events if supported. 6. Encourage the use of hardware wallets or multi-factor authentication methods where possible to reduce reliance on API keys with withdrawal permissions. 7. Engage with MEXC support to report the malicious extension and request enhanced security controls around API key management. 8. Consider network-level controls to block known exfiltration channels such as suspicious Telegram bot endpoints. 9. Regularly audit browser extensions and conduct security awareness training focused on social engineering and supply chain risks. 10. For organizations, enforce policies restricting installation of browser extensions on corporate devices.