Hunting Huobi, MyEtherWallet, and Scams

Huobi-related scams aren’t seen very often, but they’re still just as dangerous as every other scam.

I recently discovered an airdrop site for Huobi that used a different MyEtherWallet phishing kit to what I am used to finding.

It asked for a public address and checked to see if you have Huobi Airdrop tokens (which are actually fake tokens related to another Huobi scam, below). If you enter an address that doesn’t have the tokens required, you can still find the phishkit in the server response.

When you input your public address, it requests their server and returns a new HTML document — a HuobiGlobal phishing site that also brings up a fake MyEtherWallet. This HTML document contains a link to a PHP script that caught my attention.

The redir.php script is a malicious MyEtherWallet kit designed to steal your keys.

This MyEtherWallet kit stores your private key into a Cookie and hits another PHP script.

A capture of the network request storing the private key in a cookie and sending it to postback.php

If you input your private key, it would be accessed, and you would lose your funds.

Since I haven’t come across that many Huobi phishing/scam domains, I decided to look for more. I came across an ERC20 token that was advertising a website that was airdropped to ~20,000 Ethereum addresses.

With some capital, this is a method to advertise in the blockchain space.

The token advertising a website

If we look at the address funding the transactions (via 19 proxy addresses (i.e.: 0x0b88a083dc7b8ac2a84eba02e4acb2e5f2d3063c) and contract creation from 0x15ccc4ab2cfdb27fc4818bf481f7ed0352d8c6b3, we can see that the bad actor has:

  • Created 18 contracts between block 6,708,041 and 7,249,374
  • All but 1 contract address advertises — the other is just a test.
  • 62,132 addresses were sent a token that advertises

Here’s a dump of contract addresses that were created by 0x15cc...c6b3 and advertising as of block 7,362,119.


Here’s a dump of proxy addresses used to airdrop the tokens — all funded from the 0x15cc...c6b3 address — all these proxy addresses hold similar values (after being funded with 5 ETH and sending x transactions) so assuming this is all scripted.


Looking at

TL;DR: It gets you to install a browser extension which injects malicious scripts into and by hijacking the CSP headers and network requests.

So, I loaded up a VM and hit the domain and I saw a legitimate looking Google Alert view that had me confused — I didn’t know Google detected Cryptojacking like this…

A fake warning of Cryptojacking

I decided to enable MetaMask and they changed the view to fake a MetaMask warning — something I know MetaMask doesn’t warn against.

A fake MetaMask warning

Anyway, I decided to view the source and saw that it was linking me to a Google Chrome Browser Extension — extension ID:coigcglbjbcoklkkfnombicaacmkphcm (NoCoin — Block Coin Miners)

230 users currently running this malicious browser extension — last updated March 8, 2019

I thought this was very weird — Google AND MetaMask “referring” users to this Browser extension. I decided to investigate.

Looking into “NoCoin — Block Coin Miners”

I decided to launch a fresh VM (since I didn’t know what it would do and I came from an untrusted/suspicious source) and investigate.

From the start, it looked like it did what it should — it was detected various CryptoJacking scripts (CoinHive, MinerAlt, WebminerPool) and there was a nice UI to let me know it was doing its job.

The UI of the extension showing it’s doing the job

I thought there had to be more to it since my suspicious user-journey to install it.

I looked into the source of it and noticed two things:

  • It monitors/hijacks all web requests by attaching an EventListener to onBeforeRequest and onHeadersReceived
  • Depending on the network activity, it would construct a domain on the .top TLD (known to host a lot of spam according to SPAMHAUS)

This seemed weird because it looked like this code was out of the scope of detecting CryptoJacking. I decided to debug this.

First, I wanted to know what the EventListener was doing for onHeadersReceived because it was overwriting the Content-Security-Policy value.

The logic used to alter the CSP for certain requests

I decided to modify the code so it would execute the logic on every request.

Yikes! Ok, so it overwrites the CSP so it can “safely” inject code from untrusted sources… seems very out-of-scope for a CryptoJacking detection extension.

Now, let’s see what it does with the onBeforeRequest EventListener. It checks to see if the URL is equal to a specific hash, then tells Chrome to load a separate resource by using redirectUrl

The logic used to load foreign resources via redirectUrl

But this logic only runs if the URL hash is one of 2 — but what are these hashes?

echo -n | md5sum
echo -n | md5sum

Ok, so it hijacks requests for things on and domains.

Here’s a list of domains that the extension hits that are in control of the bad actor

Looking at

So now we know is a target, and it hijacks the CSP policy to inject foreign resources, let’s see what it does.

Since the code is looking for master or chunk substring in the resource, the main target is the domain to overwrite the etherwallet-master.js file.

We can take a look at it by not allowing the CSP hijack.

So, now we know the main JS is being replaced by the malicious browser extension, let’s input our private key and see where they send it off to.

The script sends it off to a PHP script as part of a query string

And that’s it, our private key has been sent to the bad actors.

Note that since the CSP has been hijacked, we get no notices about trying to load foreign resources and to the user, the software works as intended and the EV cert is fully intact. What’s even clever is that the browser extension does what it was advertised to do, so it could go unnoticed to the non-paranoid user for some time.

Looking at

We also know that is a target, so let’s modify the script to now hijack the CSP and see what it’s trying to load.

We can see that it’s trying to load malicious versions of; manifest.1550618679966.js , vendor.b18ffdf080.js , app.46d4854459.js within the login logic.

What can I do to stay safe?

We have to be careful on what we do. The duty is on you to ensure your maximum safety and security. Timeo Danaos et dona ferentes.

  • Never install a browser extension that has the ability to modify the DOM that you/trusted source has not audited.
  • Don’t blindly trust legitimate looking warnings to get you to install software (MetaMask warnings will always have their browser extension in the URL bar (like the phishing warning))
  • Never enter your secrets online — always use an offline signing mechanism (i.e: Ledger Wallet, TREZOR, or Parity Signer)

The domains that are part of this campaign have been listed on EtherScamDB;

They have been blacklisted on MetaMask and EtherAddressLookup to prevent you from visiting them.