A cryptocurrency scam known as "ShieldGuard" has been dismantled after researchers identified it as a malicious browser extension designed to harvest sensitive user data, according to Okta Threat Intelligence. The operation, uncovered by Okta Threat Intelligence and described in an advisory published on 17 March, initially presented itself as a security tool aimed at protecting crypto wallets from phishing and harmful smart contracts.
ShieldGuard combined social media promotion, a browser extension listing and a token "airdrop" incentive model to attract users, with participants encouraged to download the extension and promote it in exchange for future cryptocurrency rewards.
Okta found the extension was built to extract valuable information from users interacting with major crypto platforms, including Binance, Coinbase and MetaMask, and also targeted general browsing activity and Google services, with capabilities such as harvesting wallet addresses, capturing full HTML content after login, tracking across sessions and remote code execution via a command-and-control server.
The malware used obfuscation and a custom JavaScript interpreter to bypass Chrome security restrictions, delivering and executing code dynamically without triggering standard protections.
Researchers also identified links to another campaign known as "Radex" and noted language indicators suggesting the operators may be Russian-speaking; Okta and industry partners disrupted the operation by removing the extension from the Chrome Web Store, taking down domains, disabling backend infrastructure and blocking user sign-in functionality.