A browser extension pretending to be Google Notes is silently rerouting cryptocurrency transfers to attackers.
McAfee researchers identified the malware, dubbed Silent Swap, distributed through phishing, social engineering, and shady download sites. On the surface it works as advertised — users can write, color-code, and search notes. Underneath, it monitors the clipboard for strings between 26 and 42 alphanumeric characters, the signature shape of a crypto wallet address. The moment it spots one, it swaps the copied address for one controlled by the attacker. The victim pastes, hits send, and the funds are gone.
The attack lands because crypto addresses are practically unmemorable — users are forced to copy and paste them, which is exactly the behavior Silent Swap exploits. Recovery is nearly impossible once a transaction clears on a decentralized network; the only slim window is catching it fast enough to ask a centralized exchange like Coinbase to freeze the transfer.
Researchers warn that spot-checking just the first and last few characters of a wallet address is not enough — attackers can craft lookalike strings that match on both ends while differing in the middle. Verifying the entire address before sending is the only reliable defense. Clipboard jackers are not new, but the disguise here — a fully functional notes app — is a step above the usual hollow shell extensions that barely pretend to do anything legitimate.