Hunting Huobi, MyEtherWallet, and Scams

Huobi-related scams aren’t seen very often, but they’re still just as dangerous as every other scam.

Mar 14, 2019 · 6 min read

I recently discovered an airdrop site for Huobi that used a different MyEtherWallet phishing kit to what I am used to finding.

It asked for a public address and checked to see if you have Huobi Airdrop tokens (which are actually fake tokens related to another Huobi scam, below). If you enter an address that doesn’t have the tokens required, you can still find the phishkit in the server response.

When you input your public address, it requests their server and returns a new HTML document — a HuobiGlobal phishing site that also brings up a fake MyEtherWallet. This HTML document contains a link to a PHP script that caught my attention.

Image for post
Image for post
The redir.php script is a malicious MyEtherWallet kit designed to steal your keys.

This MyEtherWallet kit stores your private key into a Cookie and hits another PHP script.

Image for post
Image for post
A capture of the network request storing the private key in a cookie and sending it to postback.php

If you input your private key, it would be accessed, and you would lose your funds.

Since I haven’t come across that many Huobi phishing/scam domains, I decided to look for more. I came across an ERC20 token that was advertising a website that was airdropped to ~20,000 Ethereum addresses.

With some capital, this is a method to advertise in the blockchain space.

Image for post
Image for post
The token advertising a website

If we look at the address funding the transactions (via 19 proxy addresses (i.e.: 0x0b88a083dc7b8ac2a84eba02e4acb2e5f2d3063c) and contract creation from 0x15ccc4ab2cfdb27fc4818bf481f7ed0352d8c6b3, we can see that the bad actor has:

  • Created 18 contracts between block 6,708,041 and 7,249,374

Here’s a dump of contract addresses that were created by 0x15cc...c6b3 and advertising as of block 7,362,119.


Here’s a dump of proxy addresses used to airdrop the tokens — all funded from the 0x15cc...c6b3 address — all these proxy addresses hold similar values (after being funded with 5 ETH and sending x transactions) so assuming this is all scripted.


Looking at

TL;DR: It gets you to install a browser extension which injects malicious scripts into and by hijacking the CSP headers and network requests.

So, I loaded up a VM and hit the domain and I saw a legitimate looking Google Alert view that had me confused — I didn’t know Google detected Cryptojacking like this…

Image for post
Image for post
A fake warning of Cryptojacking

I decided to enable MetaMask and they changed the view to fake a MetaMask warning — something I know MetaMask doesn’t warn against.

Image for post
Image for post
A fake MetaMask warning

Anyway, I decided to view the source and saw that it was linking me to a Google Chrome Browser Extension — extension ID:coigcglbjbcoklkkfnombicaacmkphcm (NoCoin — Block Coin Miners)

Image for post
Image for post
230 users currently running this malicious browser extension — last updated March 8, 2019

I thought this was very weird — Google AND MetaMask “referring” users to this Browser extension. I decided to investigate.

Looking into “NoCoin — Block Coin Miners”

I decided to launch a fresh VM (since I didn’t know what it would do and I came from an untrusted/suspicious source) and investigate.

From the start, it looked like it did what it should — it was detected various CryptoJacking scripts (CoinHive, MinerAlt, WebminerPool) and there was a nice UI to let me know it was doing its job.

Image for post
Image for post
The UI of the extension showing it’s doing the job

I thought there had to be more to it since my suspicious user-journey to install it.

I looked into the source of it and noticed two things:

  • It monitors/hijacks all web requests by attaching an EventListener to onBeforeRequest and onHeadersReceived

This seemed weird because it looked like this code was out of the scope of detecting CryptoJacking. I decided to debug this.

First, I wanted to know what the EventListener was doing for onHeadersReceived because it was overwriting the Content-Security-Policy value.

Image for post
Image for post
The logic used to alter the CSP for certain requests

I decided to modify the code so it would execute the logic on every request.

Yikes! Ok, so it overwrites the CSP so it can “safely” inject code from untrusted sources… seems very out-of-scope for a CryptoJacking detection extension.

Now, let’s see what it does with the onBeforeRequest EventListener. It checks to see if the URL is equal to a specific hash, then tells Chrome to load a separate resource by using redirectUrl

Image for post
Image for post
The logic used to load foreign resources via redirectUrl

But this logic only runs if the URL hash is one of 2 — but what are these hashes?

echo -n | md5sum
echo -n | md5sum

Ok, so it hijacks requests for things on and domains.

Here’s a list of domains that the extension hits that are in control of the bad actor

Looking at

So now we know is a target, and it hijacks the CSP policy to inject foreign resources, let’s see what it does.

Since the code is looking for master or chunk substring in the resource, the main target is the domain to overwrite the etherwallet-master.js file.

We can take a look at it by not allowing the CSP hijack.

So, now we know the main JS is being replaced by the malicious browser extension, let’s input our private key and see where they send it off to.

Image for post
Image for post
The script sends it off to a PHP script as part of a query string

And that’s it, our private key has been sent to the bad actors.

Note that since the CSP has been hijacked, we get no notices about trying to load foreign resources and to the user, the software works as intended and the EV cert is fully intact. What’s even clever is that the browser extension does what it was advertised to do, so it could go unnoticed to the non-paranoid user for some time.

Looking at

We also know that is a target, so let’s modify the script to now hijack the CSP and see what it’s trying to load.

We can see that it’s trying to load malicious versions of; manifest.1550618679966.js , vendor.b18ffdf080.js , app.46d4854459.js within the login logic.

What can I do to stay safe?

We have to be careful on what we do. The duty is on you to ensure your maximum safety and security. Timeo Danaos et dona ferentes.

  • Never install a browser extension that has the ability to modify the DOM that you/trusted source has not audited.

The domains that are part of this campaign have been listed on EtherScamDB;

They have been blacklisted on MetaMask and EtherAddressLookup to prevent you from visiting them.



The Official MyCrypto Blog

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store