[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBn7WwtIv4HiG38eljgPhlizJyGXfbzPpZifQ7WHpqro":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"978dddb4-d8a4-44d6-9193-9d60a0158ed3","Fake “Google Notes” Browser Extension Caught Swapping Crypto Wallet Addresses","fake-google-notes-browser-extension-caught-swapping-crypto-wallet-addresses-089b94","McAfee says a Google Notes browser extension is replacing copied crypto payment details, putting wallet transfers at risk for Chrome, Brave, and Microsoft Edge users.","McAfee researchers discovered a malicious browser extension disguised as 'Google Notes' that intercepts and replaces cryptocurrency wallet addresses copied to the clipboard, a technique known as clipper malware. The extension uses unsigned installers to inject itself into Chromium-based browsers (Chrome, Brave, Microsoft Edge) and requests unusual permissions for a note-taking app, including clipboard and browsing history access. The campaign targets users across multiple cryptocurrencies including Bitcoin, Ethereum, Bitcoin Cash, Ripple, and Dash, with higher infection concentrations in India.","Fake 'Google Notes' browser extension swaps crypto wallet addresses in clipboard on Chrome, Brave, and Edge.","Security Malware Scams and FraudFake “Google Notes” Browser Extension Caught Swapping Crypto Wallet Addresses McAfee says a Google Notes browser extension is replacing copied crypto payment details, putting wallet transfers at risk for Chrome, Brave, and Microsoft Edge users. byWaqasJuly 1, 20262 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening McAfee researchers are warning cryptocurrency users worldwide about a malicious browser extension that hides behind the name “Google Notes” while changing wallet addresses during transactions. In cybersecurity terms, this is clipper malware, more specifically a crypto clipper delivered through a malicious browser extension. Published on June 30, 2026, and shared with Hackread.com, the McAfee Advanced Threat Research report says the campaign uses unsigned installers to place a malicious extension inside Chromium-based browsers, including Google Chrome, Brave, and Microsoft Edge. The extension presents itself as a simple note-taking tool, but its main purpose is to watch for copied cryptocurrency wallet addresses and replace them before the user pastes them into a payment field. Thereafter, anyone sending crypto by copy and paste could miss the swap unless they check the address closely. Since most cryptocurrency transfers cannot be reversed, one successful swap can mean permanent loss. Behind the fake notes app, the extension asks for access that does not match its claimed purpose. McAfee found requests for access to all websites, browsing history, and the clipboard, permissions that would be unusual for a basic note-taking extension. The fake Google Notes browser extension (left) – Threat blocked by McAfee (right) – Image via McAfee The installation method is also worth UK users checking. According to McAfee’s technical details, the malware does not depend on a normal browser store install. It changes browser preference files directly so the extension can appear trusted and load without the usual approval process. Although updated Chrome and Edge versions may still require developer mode, older Chromium-based browsers remain more exposed, and attackers can try to talk users into enabling developer mode. Once active, the extension checks copied text for wallet formats linked to major cryptocurrencies. McAfee said Bitcoin, Ethereum, Bitcoin Cash, Ripple and Dash were among the currencies where wallet address fraud was seen. The researchers also found that submitted addresses can be matched to unique attacker wallets, making simple wallet blocklists less reliable. The operators also built in a remote control method that avoids placing a fixed command server directly in the malware. McAfee said the extension can query a public blockchain smart contract to retrieve its active backend domain, with domains including devops-offensive(.)cc and Zebregts(.)com recorded during analysis. McAfee telemetry showed a global infection footprint, with India seeing a much higher concentration of affected users than other regions. The company said the spread suggests an opportunistic campaign against consumer cryptocurrency users, not an India-specific operation. If you deal with crypto and use a Chromium-based browser, compare the first and last six characters of the recipient wallet address with the source, preferably on another device. This needs to be done before approving a crypto transfer. McAfee also advises installing extensions only from official browser stores, removing any extension the user does not remember installing, reviewing permissions, avoiding unsigned software downloads, and keeping device protection active. (Photo by Mariia Shalabaieva on Unsplash) Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts BrowserChromiumCryptoCyber AttackCybersecurityExtensionFraudGoogle NotesMalwaremcafeeScam Leave a Reply Cancel reply View Comments (0) Related Posts Phishing Scam Security New Phishing Scam Hooks META Businesses with Trademark Threats Scammers are sending phishing links to the inboxes of Meta business owners and Facebook page administrators, aiming to obtain their login credentials. byWaqas Android Malware Security Fake Android Banking Apps Stealing Credentials Via Malware FireEye IT security firm has discovered Android malware apps that can masquerade as the most popular financial applications… byUzair Amir Security 18-year-old Vulnerability Lets Attackers Steal Data From All Versions of Windows Researcher Aaron Spangler identified a bug in Internet Explorer back in 1997. This flaw allowed stealing of user… byWaqas Malware Security New Android Malware Disguised as Uber App It is just another day with just another Android malware targeting unsuspecting users. Last time Uber was in news… byWaqas","https:\u002F\u002Fhackread.com\u002Ffake-google-notes-browser-extension-swap-crypto-wallets\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F07\u002Ffake-google-notes-browser-extension-swap-crypto-wallets-2.jpg","2026-07-01T16:51:19+00:00","2026-07-01T18:00:10.54082+00:00",8,[18,21,24,26,28],{"name":19,"type":20},"McAfee","vendor",{"name":22,"type":23},"Google Chrome","product",{"name":25,"type":23},"Microsoft Edge",{"name":27,"type":23},"Brave",{"name":29,"type":30},"Chromium","technology","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":31,"icon":33,"name":34,"slug":35},null,"Malware","malware",[37,42],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"0493c7e9-989a-4692-b4e6-136f5ec09675","Cryptography","cryptography",{"category":43},{"id":31,"icon":33,"name":34,"slug":35},[45,49,51],{"type":46,"value":47,"context":48},"domain","devops-offensive.cc","C2 backend domain retrieved via smart contract",{"type":46,"value":50,"context":48},"Zebregts.com",{"type":35,"value":52,"context":53},"Google Notes clipper extension","Fake browser extension targeting crypto wallet addresses"]