Hola VPN Developers Hacked: Malicious Extension Attacked MyEtherWallet Users

On July 10, 2018, the developers of the cryptocurrency wallet MyEtherWallet (MEW) and the Hola VPN extension warned users about a cyberattack. For several hours, a malicious version of the Hola VPN extension for Chrome was distributed, specifically targeting MyEtherWallet users to steal their cryptocurrency.

How the Attack Happened

In an official statement, the Hola VPN team explained that their Google Chrome Store account had been compromised. This allowed attackers to upload a modified, malicious version of the extension to the Chrome Web Store. The developers stated that the harmful version was active for only “a few hours” before they regained access to their account and restored the legitimate Hola VPN extension in the Chrome Store.

MyEtherWallet representatives provided more specific details, reporting that the compromise lasted for five hours. They also told TechCrunch that the attack appeared to originate from a Russian IP address.

Attack Details and Impact

The main targets were users of MyEtherWallet. If a victim tried to access the official MEW website (MyEtherWallet.com), the malicious extension would secretly redirect them to a phishing page in an attempt to steal their MEW account credentials.

Experts now recommend that all MEW and Hola VPN users who accessed their wallet and browser on July 9-10, 2018, immediately transfer their funds to new wallets. For the attack to succeed, Hola VPN had to be updated to the malicious version (extensions update automatically in the background) and be enabled, while the browser’s incognito mode had to be turned off.

Not the First Incident

This is not the first time developers have been compromised and popular extensions replaced with malicious versions. For example, in 2017, a series of phishing attacks on developers led to the compromise of eight popular Chrome extensions, putting nearly five million users at risk.