Report: Malicious Chrome Extension Disguised as Trading Tool Steals User MEXC API Keys

According to a report from the security agency Socket's Threat Research Team, a malicious Chrome extension named "MEXC API Automator" has been available in the Chrome Web Store since September 1, 2025, capable of stealing users' newly created API keys from the cryptocurrency exchange MEXC and sending them to a Telegram bot controlled by the attacker.

The extension lures users with the promise of trading automation, automatically generating MEXC API keys with withdrawal permissions without the user's knowledge, while hiding the display of these permissions in the interface, subsequently leaking the keys along with their ciphertext. This allows attackers to gain complete control over the victim's MEXC account, executing trades, initiating automatic withdrawal operations, and transferring assets within the account. As of the report's publication, the extension is still available for download in the Chrome Web Store, and the research team has reported and flagged this extension to Google.