What Happened
Cybersecurity researchers have flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction. The cryptocurrency clipper activity has been codenamed Silent Swap by McAfee Labs. "The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that
Why It Matters
According to McAfee Labs and The Hacker News, the Silent Swap campaign uses unsigned .NET and Golang installers to silently sideload a malicious Chromium extension that masquerades as a benign "Google Notes" utility, then monitors clipboard activity to detect cryptocurrency wallet addresses and replace them with attacker-controlled addresses at transaction time.[1][2] This results in irreversible diversion of funds due to the nature of most blockchain transactions.[2] From a CyberSE.AI perspective, any fintech workflows or AI-powered assistants that help users manage, recommend, or execute crypto transactions are indirectly exposed: if an AI agent relies on user copy-paste behavior or browser-based wallet operations, clipboard-hijacking extensions like Silent Swap can silently subvert transaction integrity. Organizations should assess where AI systems intersect with client-side browser activity and crypto operations, implement strong endpoint controls, and design AI-assisted transaction flows that minimize reliance on clipboard operations and browser sideloaded extensions.
CyberSE Analysis
This signal maps to fintech AI risk. Organizations using AI agents, LLM APIs, SaaS integrations, or sensitive data workflows should review whether this class of issue could create unauthorized tool execution, data leakage, weak approval gates, or unmanaged supply-chain exposure.
Recommended Actions
- Restrict AI agent tool permissions and production write paths.
- Review sensitive data access across prompts, logs, embeddings, memory, and SaaS integrations.
- Add human approval workflows for high-impact or state-changing actions.
- Run prompt injection and indirect prompt injection tests against affected workflows.
- Document the owner, control gap, and remediation deadline for this risk class.
Source
https://thehackernews.com/2026/06/silent-swap-crypto-clipper-uses-fake.html