Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses

McAfee Labs has identified an active cryptocurrency theft campaign called Silent Swap that deploys malicious browser extensions to intercept and modify wallet addresses during crypto transactions.

The attack operates through unsigned installers distributed in both .NET and Golang variants. Attackers disguise the malware as a Google Notes extension, gaining browser access through social engineering or deceptive download sites. Once installed, the extension monitors clipboard activity and transaction fields, silently replacing legitimate wallet addresses with attacker-controlled ones during the payment process.

Users executing cryptocurrency transfers see what appears to be a normal transaction but actually send funds to addresses controlled by threat actors. The clipper executes the swap without alerting the user, leaving victims unaware until they discover missing funds or failed legitimate transactions.

The campaign targets cryptocurrency users across multiple platforms and wallet types. The use of unsigned installers reduces detection by endpoint security tools, while the fake Google Notes branding exploits user trust in legitimate Google services. The dual-variant approach, offering both .NET and Golang implementations, indicates the attackers maintain flexibility across different system architectures and detection environments.

Organizations and individual users should implement several protections. Browser extension security requires installing only verified extensions from official stores and auditing installed extensions regularly. Users managing cryptocurrency should employ hardware wallets when possible, use address verification tools that display full addresses before confirming transactions, and disable auto-fill features for critical financial applications. Security teams should monitor for unsigned executable installations and block distribution domains hosting Silent Swap variants.

The campaign demonstrates how address-replacement attacks remain effective against cryptocurrency users despite increased awareness of phishing threats. Unlike credential theft or seed phrase compromise, clipper attacks operate invisibly during the transaction execution phase, making detection difficult without careful address verification practices.