Approximately 1.4 million XRP has been stolen from the users in the month of March alone through the use of a fake Google Chrome extension.
Through a thread of tweets released on March 24, a research group known as xrplorer forensics, revealed that hackers are stealing user backup passphrases through fraudulent Ledger Live extensions. Xplorer forensics stated:
“They are advertised in Google searches and use Google Docs for collecting data. Accounts are being emptied and we have seen more than 200K XRP being stolen the past month alone.”
We don't have figures from other currencies. Don't EVER download tools for your hardware wallet from other places than the vendor directly. The screenshot shows a POST request from an extension. pic.twitter.com/ct4IreHeM4
— xrplorer forensics (@xrpforensics) March 24, 2020
After a while, xrplorer forensics revised the figure from 200k XRP to 1.4 million.
As per the researchers, the majority of the stolen XRP seems to be still intact in accounts, however, a proportion of it has already been cashed out through crypto exchange platform HitBTC.
The researchers have cautioned the public from downloading tools to use within their hardware wallets from different developers apart from the vendor directly. They particularly single out Ledger users and caution them from downloading tools apart from the manufacturer only.
By publication time, two ‘LedgerLive’ extensions are available on Google store for use with Chrome browser. The two extensions comprise of a couple of user reviews that are in tandem with xrplorer forensics warnings.
Through their Twitter account, xrplorer forensics has alleged that about 300 million XRP which is at the moment in different XRP accounts has been earmarked as fraudulent. The researchers claim that most of it has originated from the PlusToken exit scam. In their estimation, about 13 million XRP has originated from different scams and theft schemes.
The researchers have also called out crypto exchange platform bithunter.io, questioning why it didn't observe the AML alerts for various big and reportedly suspicious transactions. As per the researchers, about a third of the entire XRP received by bithunter comes from suspicious accounts that are in their advisory list.
The researchers also caution other exchanges to be vigilant as scammers are currently consolidating their loot, urging them to be extra careful with the incoming payments.