{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,29]],"date-time":"2025-10-29T18:00:18Z","timestamp":1761760818653,"version":"build-2065373602"},"reference-count":24,"publisher":"Association for Computing Machinery (ACM)","issue":"11","license":[{"start":{"date-parts":[[2025,10,29]],"date-time":"2025-10-29T00:00:00Z","timestamp":1761696000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/publication-rights-and-licensing-policy"}],"funder":[{"name":"Australian Research Council Discovery Projects","award":["DP240103068"],"award-info":[{"award-number":["DP240103068"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Commun. ACM"],"published-print":{"date-parts":[[2025,11]]},"abstract":"<jats:p>\n                    The popularity of cryptocurrencies has led to the growth of browser extensions, including malicious ones that cause financial losses and evade vetting processes. We conduct a systematic study to identify and characterize cryptocurrency-themed malicious extensions. By monitoring seven extension distribution venues for 18 months \u00a0(December 2020 to June 2022) and collecting around 3,600 unique extensions, we identify 186 malicious extensions in five categories. We analyze their distribution channels, life cycles, developers, behaviors, and illegal gains, revealing their\n                    <jats:italic toggle=\"yes\">status quo<\/jats:italic>\n                    , disguises, and programmatic features. Our work unveils the\n                    <jats:italic toggle=\"yes\">status quo<\/jats:italic>\n                    of the cryptocurrency-themed malicious extensions and reveals the disguises and programmatic features on which detection techniques can be based. Our work serves as a warning to extension users, and as an appeal to extension store operators to enact dedicated countermeasures. To facilitate future research in this area, we release our dataset of the identified malicious extensions and open source our analyzer.\n                  <\/jats:p>","DOI":"10.1145\/3715673","type":"journal-article","created":{"date-parts":[[2025,10,23]],"date-time":"2025-10-23T16:24:42Z","timestamp":1761236682000},"page":"93-101","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Characterizing Cryptocurrency-Themed Malicious Browser Extensions"],"prefix":"10.1145","volume":"68","author":[{"given":"Guangdong","family":"Bai","sequence":"first","affiliation":[{"name":"University of Queensland, Brisbane, Australia"}]},{"given":"Kailong","family":"Wang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"given":"Yuxi","family":"Ling","sequence":"additional","affiliation":[{"name":"National University of Singapore, School of Computing, Singapore, Singapore"}]},{"given":"Yanjun","family":"Zhang","sequence":"additional","affiliation":[{"name":"University of Technology Sydney, Sydney, Australia"}]},{"given":"Zhou","family":"Yu","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"given":"Haoyu","family":"Wang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"given":"Beng Chin","family":"Ooi","sequence":"additional","affiliation":[{"name":"National University of Singapore, Singapore, Singapore"}]},{"given":"Jin Song","family":"Dong","sequence":"additional","affiliation":[{"name":"National University of Singapore, Singapore, Singapore"}]}],"member":"320","published-online":{"date-parts":[[2025,10,29]]},"reference":[{"key":"e_1_3_1_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/1995376.1995398"},{"key":"e_1_3_1_4_2","unstructured":"Bitcoin Abuse Database;\u00a0https:\/\/www.bitcoinabuse.com."},{"key":"e_1_3_1_5_2","unstructured":"CipherTrace. Cryptocurrency Crime and Anti-Money Laundering Report. (2020); https:\/\/tinyurl.com\/262wyzrh."},{"key":"e_1_3_1_6_2","unstructured":"CoinMarketCap;\u00a0https:\/\/coinmarketcap.com"},{"key":"e_1_3_1_7_2","unstructured":"Compare cryptocurrency wallets;\u00a0https:\/\/tinyurl.com\/29cgx5l8"},{"key":"e_1_3_1_8_2","unstructured":"CryptoScamDB;\u00a0https:\/\/cryptoscamdb.org"},{"key":"e_1_3_1_9_2","unstructured":"Extension Dataset;\u00a0https:\/\/tinyurl.com\/2yxqjvbf"},{"key":"e_1_3_1_10_2","unstructured":"McIntosh R. Fake ledger Chrome extension crypto scam may have stolen up to $2.5M. Finance Magnates (2020);\u00a0https:\/\/tinyurl.com\/2cybb4fh."},{"key":"e_1_3_1_11_2","unstructured":"Discovering fake browser extensions that target users of Ledger Trezor MEW Metamask and more. The Official MyCrypto Blog (April 2020); https:\/\/tinyurl.com\/27mhf9lc"},{"key":"e_1_3_1_12_2","first-page":"641","article-title":"Hulk: Eliciting malicious behavior in browser extensions","author":"Kapravelos A.","year":"2014","unstructured":"Kapravelos, A. et al. Hulk: Eliciting malicious behavior in browser extensions. In Proceedings of\u00a0USENIX Security 14\u00a0(2014),\u00a0641\u2013654.","journal-title":"Proceedings of\u00a0"},{"key":"e_1_3_1_13_2","doi-asserted-by":"crossref","unstructured":"Lee S. et al. Cybercriminal minds: an investigative study of cryptocurrency abuses in the Dark Web. In Network and Distributed System Security Symp.\u00a0(2019) \u00a01\u201315.","DOI":"10.14722\/ndss.2019.23055"},{"key":"e_1_3_1_14_2","doi-asserted-by":"crossref","unstructured":"Ling Y. et al. Are they toeing the line? Diagnosing privacy compliance violations among browser extensions. In Proceedings of the 37th IEEE\/ACM Intern. Conf. on Automated Software Engineering\u00a0(2022).","DOI":"10.1145\/3551349.3560436"},{"key":"e_1_3_1_15_2","unstructured":"mitmproxy;\u00a0https:\/\/mitmproxy.org"},{"key":"e_1_3_1_16_2","unstructured":"MonkeyLearn. https:\/\/monkeylearn.com\/sentiment-analysis"},{"key":"e_1_3_1_17_2","unstructured":"Jagpal N. et al. Trends and lessons from three years fighting malicious extensions.\u00a0USENIX Security\u00a0(2015) \u00a0579\u2013593."},{"key":"e_1_3_1_18_2","doi-asserted-by":"crossref","unstructured":"Pantelaios N. Nikiforakis N. and Kapravelos A. You\u2019ve changed: Detecting malicious browser extensions through their update deltas. In Proceedings of the 2020 ACM SIGSAC Conf. on Computer and Communications Security \u00a0477\u2013491.","DOI":"10.1145\/3372297.3423343"},{"key":"e_1_3_1_19_2","doi-asserted-by":"crossref","unstructured":"Som\u00e9 D.F. Empoweb: Empowering Web applications with browser extensions. In Proceedings of the IEEE Symp. on Security and Privacy\u00a0(2019)\u00a0227\u2013245.","DOI":"10.1109\/SP.2019.00058"},{"key":"e_1_3_1_20_2","unstructured":"The Selenium Project;\u00a0https:\/\/www.selenium.dev"},{"key":"e_1_3_1_21_2","doi-asserted-by":"crossref","unstructured":"Thomas K. et al. Ad injection at scale: Assessing deceptive advertisement modifications. In Proceedings of the IEEE Symp. on Security and Privacy\u00a0(2015) \u00a0151\u2013167.","DOI":"10.1109\/SP.2015.17"},{"key":"e_1_3_1_22_2","unstructured":"VirusTotal;\u00a0https:\/\/www.virustotal.com\/gui\/home."},{"key":"e_1_3_1_23_2","doi-asserted-by":"crossref","unstructured":"Wang Y. Cai W. Lyu P. and Shao W. A combined static and dynamic analysis approach to detect malicious browser extensions. Security and Communication Networks\u00a0(2018).","DOI":"10.1155\/2018\/7087239"},{"issue":"3","key":"e_1_3_1_24_2","article-title":"Trade or trick? Detecting and characterizing scam tokens on Uniswap decentralized exchange","author":"Xia P.","year":"2021","unstructured":"Xia, P. et al. Trade or trick? Detecting and characterizing scam tokens on Uniswap decentralized exchange. In\u00a0Proceedings of the ACM on Measurement and Analysis of Computing Systems 5, 3\u00a0(2021).","journal-title":"Proceedings of the ACM on Measurement and Analysis of Computing Systems 5"},{"key":"e_1_3_1_25_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101993"},{"key":"e_1_3_1_26_2","doi-asserted-by":"crossref","unstructured":"Xing X. et al. Understanding malvertising through ad-injecting browser extensions. In Proceedings of the 24th Intern. Conf. on the World Wide Web\u00a0(2015) \u00a01286\u20131295.","DOI":"10.1145\/2736277.2741630"}],"container-title":["Communications of the ACM"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3715673","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,29]],"date-time":"2025-10-29T17:56:59Z","timestamp":1761760619000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3715673"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,29]]},"references-count":24,"journal-issue":{"issue":"11","published-print":{"date-parts":[[2025,11]]}},"alternative-id":["10.1145\/3715673"],"URL":"https:\/\/doi.org\/10.1145\/3715673","relation":{},"ISSN":["0001-0782","1557-7317"],"issn-type":[{"type":"print","value":"0001-0782"},{"type":"electronic","value":"1557-7317"}],"subject":[],"published":{"date-parts":[[2025,10,29]]},"assertion":[{"value":"2025-10-29","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}