Cyber Threat Actor: SerHack
| Actor Type | Location | Known Incidents |
Criminal
|
Ukraine
|
1 incident |
|---|
Profile
SerHack is the alias used to refer to the threat actor responsible for compromising the official MEGA.nz Chrome extension in September 2018. Publicly available information indicates that the actor is associated with Ukraine, as the malicious server receiving stolen data was hosted there. The actor’s known activity consists of a single reported operation in which they injected malicious code into a legitimate browser extension to harvest user credentials and cryptocurrency private keys.
In the observed incident, the actor targeted users of the MEGA.nz Chrome extension who visited a range of high‑profile services, including Amazon, GitHub, MyEtherWallet, MyMonero, and the IDEX cryptocurrency trading platform. The malicious code collected usernames, passwords, session data, and, when present on cryptocurrency sites, the private keys needed to access digital funds. All harvested information was transmitted to a server located at megaopac[.]host, which was identified as being hosted in Ukraine. The extension was removed from the Chrome Web Store and disabled for existing users after the breach was discovered, and a clean version was subsequently uploaded by the service provider.
The actor’s tactics, techniques, and procedures, as described in the source material, involve gaining unauthorized access to the Chrome Web Store account of the extension publisher and uploading a malicious version of the extension. The malicious payload was contained in version 3.39.4 of the MEGA.nz Chrome extension and was designed to activate on specific websites to exfiltrate data. No malware families or additional tooling are referenced in the reporting, and the actor’s Firefox extension and cryptographically signed mobile applications remained unaffected. No public attribution to a state sponsor or criminal consortium has been made based on the available evidence. The operation highlights the risk posed by compromised extension publishing accounts and the importance of maintaining strong controls over developer access to distribution platforms.