QuickLens Chrome Extension Hack: Inside the and Threat

In the fast-paced world of crypto trading and web browsing, browser extensions promise quick tools for better productivity. But what happens when one turns into a thief? The hack shows how hackers can take over a simple tool and steal your cryptocurrency. This supply chain attack hit over 7,000 users and used a sneaky trick called to trick people into running malware. Let’s break it down step by step, so you can protect yourself.

What is the QuickLens Chrome Extension Attack?

The QuickLens extension, called “QuickLens – Search Screen with Google Lens,” started as a harmless tool for screen searches. In February 2026, bad actors bought it cheap and turned it evil. They updated it to version 5.8 on February 17, pushing malware to all users via the Chrome Web Store. No download needed – updates happen automatically.

This is a classic . Hackers don’t hack your computer directly. They poison the supply chain – here, the trusted Chrome store. Result? Crypto wallets drained, passwords stolen, and browsers broken. Users saw fake Google update pop-ups that locked screens and forced malware installs.

How Did the Attack Work? A Simple Breakdown

Hackers were smart. They used many steps to stay hidden and hit hard. Here’s the attack flow in easy terms:

1. Ownership Takeover: The extension was sold on a site called ExtensionHub. New owners used a fake email: support@doodlebuggle.top.
2. Malicious Update: Version 5.8 asked for scary permissions like webRequest and declarativeNetRequestWithHostAccess. These let it mess with every website you visit.
3. Security Bypass: It dropped a rules.json file that removed key web protections: CSP, X-Frame-Options, and X-XSS-Protection. Now, hackers could inject bad JavaScript anywhere.
4. Secret Communication: Every 5 minutes, it phoned home to api.extensionanalyticspro.top with your browser info, OS, location, and a unique ID.
5. GIF Trick: A tiny 1×1 GIF loaded bad code on every page. It hit google-update.icu, showing a fake “Google Update Needed” pop-up.
6. Trap: Click the fake update, and it runs malware. Users think they’re fixing Chrome, but they’re installing thieves.

For Windows users, it downloaded googleupdate.exe – signed by a fake Chinese food company to look legit. This ran hidden PowerShell to grab more malware from drivers.solutions using a weird “Katzilla” user agent.

What Did the Malware Steal?

The real pain? . It targeted popular browser wallets:

• MetaMask
• Phantom
• Coinbase Wallet
• Trust Wallet
• Solflare
• Backpack
• Brave Wallet
• Exodus
• Binance Chain Wallet
• WalletConnect
• Argon

It grabbed seed phrases, transaction history – everything to empty your wallet. Plus, browser passwords, credit cards, Gmail data, Facebook Business Manager logins, and YouTube details. Mac users might have faced AMOS stealer too.

Victims worldwide lost crypto, got locked out of accounts, and saw weird transfers. Reddit threads exploded with stories of drained wallets and broken browsers.

Who Was Behind It? Clues Point to Money-Grubbers

No big APT group linked yet. But tricks match cybercrooks who love browser hijacks and crypto grabs. They used signed files, fast-changing servers, and overlaps with ModeloRAT stealers. Goal? Pure profit from global users, not spy games.

Why Browser Extensions Are a Big Risk for Crypto Users

Crypto lives in browsers – DeFi, NFTs, swaps. Extensions seem safe from Chrome Web Store. But ownership changes are easy, updates silent. This hit 7,000+ users fast. like this beat antivirus because users install the threat themselves.

Key lesson: is social engineering gold. It crashes browsers or locks screens, making you click “fix.” Bypasses all tech defenses.

How to Protect Yourself Right Now

Immediate Steps:

• Delete QuickLens from Chrome: chrome://extensions/
• Scan your PC with antivirus – check for PowerShell junk and googleupdate.exe.
• Change all passwords, especially browser-saved ones.
• Move crypto to new wallets. Old seed phrases are burned.
• Block these bad domains: api.extensionanalyticspro.top, google-update.icu, drivers.solutions.

Long-Term Defense:

• Review extensions: Check permissions, owner emails, recent updates.
• Allowlist only needed extensions in companies.
• Use EDR tools to spot weird PowerShell or credential grabs.
• Train on fake updates – never run code from pop-ups.
• Monitor traffic and audit extensions regularly.

For crypto pros: Hardware wallets > browser ones. Enable 2FA everywhere. Use VPNs and script blockers.

Lessons for the Crypto Community

This warns us: Trust no extension blindly. Chrome store isn’t perfect. Demand better vetting from Google. For devs, watermark updates or use signed manifests.

Supply chain risks grow in Web3. From npm poisons to extension flips, hackers love trusted paths. Stay vigilant – your stack is only as strong as its weakest link.

Have you checked your extensions? Share in comments. Stay safe out there.

Keywords: QuickLens attack, Chrome extension malware, crypto wallet theft, ClickFix explained, browser security tips