Crypto Traders, You Are So Close to Losing Your Crypto (and How to Fix It in a Minute)

The cryptocurrency trend is conquering the world with Bitcoin recently hitting the enormous value of $56,000, and the market cap exceeding $1 trillion.

Many people joined the party lately and that resulted in an influx of users joining exchanges such as Binance.com, Coinbase, Kraken etcetera.

Depositing to an Exchange (and the Risks)

You’ve got $100 worth of Bitcoin (0,0018 BTC as of today) sitting in a wallet. You’re thinking, “Maybe I should try my luck at trading”. Can’t blame you!

You head over to the Deposit feature on Binance (or any exchange for that matter), choose “BTC” and are ready to make the transaction.

You are now presented with a Bitcoin wallet address — you’ll need to send the funds to this address:

You go ahead, copy the address and send your Bitcoin there. It usually takes a few minutes, so you wait. You wait a little longer. Nothing happens. You panic. You panic a bit more. Rightfully so, you just lost your Bitcoin.

Address Spoofing — How It Works

The address you just sent bitcoin to was not your Binance BTC address. It wasn’t mine either, I’m an innocent dude. Actually, you can’t tell whose address it was, since it’s all anonymous (that’s kind of the point). You also cannot complain to anyone, because no single body has authority or governance over Bitcoin.

Blame your Chrome Extensions

Have you ever used AdBlock? I’m sure you do. So let me spoil it — it probably wasn’t AdBlock. But technically speaking, any Chrome Extension you install can steal your crypto.

Chrome Extensions inject JavaScript code into your browser, and does magic with it (for example, hiding annoying ads).

That means, a Chrome Extension running on your browser could inject code into Binance that replaces the wallet address in that particular deposit view. This is incredibly easy, and you didn’t even know it happened.

How would such extension work?

I don’t want to assume all of my readers are coders. Therefore, here is a GitHub repository with sample code, for the technical folks(educational purposes only!).

Here is what my script does:

  1. Waits for the Binance Crypto Deposit screen to load (“https://binance.com/…/…/…/deposit/crypto/BTC”)
  2. Extracts the “symbol” of the token from the address (note the “BTC” at the end).
  3. Maps the token to a list of pre-defined wallet addresses, to find a matching wallet.
  4. Once the page has loaded, and the real wallet address has been rendered on the screen, the script will replace the text with the hijacker’s wallet address.

Will this work on any exchange?

The answer is yes, as long as it is web-based.

The Solution

I can’t stop you from using Chrome Extensions. In fact, I am using dozens of extensions as this helps me with my daily job as a Software Engineer.

Most of the time, it won’t even be the extension maintainer’s fault — they could have been victims of hacking and therefore such code could be injected into their extension logic unintentionally.

What you can do, however, is set up a distinct profile in Google Chrome. Each profile has a fresh set of configuration, and the extensions are not shared between profiles.

Create a new profile and do not install any extensions on it. This is the profile you are going to use when dealing with your Crypto from now on. It does not matter whether you are dealing with cryptocurrencies, online banking or stock trading. This is a simple step you can take right now, to protect your assets.

How do I create a new profile?

It’s incredibly simple. At the topbar, you’ll see a “People” menu. Click that, and select “Add Person”.

Viola, you just got yourself a fresh profile without any extensions on it. You can use the same “People” menu to switch between profiles.

About me 👨🏻‍💻

My name is Ariel Weinberger. I currently work as an Engineering Lead for Abcam. Over the past two years, I have produced two online software engineering courses on Udemy and so far have educated over 110,000 students worldwide. Programming and education are my passions.

Wanna thank me?

You don’t have to. But if you insist 😉

BTC: bc1qjcg77ys0wd4kt87qwg4q7xhszjd3x88jwvqzr7
ETH: 0xDee75be41927E854f13Ac680aCCA01148B260A45
ADA: addr1qypktjzshwqls6lmq4uum6qa3hjkmvmrtfxzyeknnttzr20c4w8zdjyy32yk3c8x2q9xywnm3qz00t26d8r50x7j9zcqmlkvk4

Resources

Passionate about education in Software Engineering. Bestselling Udemy instructor. Self-taught Software Engineer and Engineering Manager.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store