Cyber Incident Victim: MEGA
Date:
Sep 2018
Location:
Ukraine
Summary
The official Chrome extension for a file-sharing service was compromised with malicious code designed to steal user credentials, session data, and cryptocurrency private keys from targeted platforms including Amazon, GitHub, MyEtherWallet, and IDEX. The hijacked extension transmitted collected information to a Ukrainian server before being removed from the Chrome Web Store and disabled for existing users. The service provider confirmed the breach occurred via unauthorized access to their Chrome Web Store account, criticizing Google's security practices for removing publisher signature requirements that could have prevented the compromise, while noting their Firefox extension and cryptographically signed applications remained unaffected by this attack vector.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 4, 2018, the official MEGA.nz Chrome extension was discovered to contain malicious code designed to steal sensitive user credentials and cryptocurrency data. The compromised version, identified as 3.39.4, had been uploaded to the Chrome Web Store earlier that day at 14:30 UTC. Security researchers analyzing the extension's source code observed that it triggered malicious activity when users visited specific websites, including Amazon, Google, Microsoft, GitHub, and cryptocurrency platforms such as MyEtherWallet, MyMonero, and IDEX. The malicious code captured usernames, passwords, session data, and—in cases involving cryptocurrency services—private keys required to access digital wallets. Collected information was transmitted to a Ukrainian-hosted server at megaopac[.]host. Google responded by removing the extension from the Chrome Web Store approximately five hours after the initial compromise and automatically disabled it for existing users. Security analysts confirmed the Firefox add-on remained unaffected, and a backup of the malicious extension was preserved for forensic analysis.
MEGA.nz acknowledged the incident within 24 hours, confirming the breach timeline and detailing their remediation efforts. The company submitted a clean version (3.39.5) to the Chrome Web Store four hours after detecting the compromise, though Google had already removed the extension by that time. In a public statement, MEGA.nz apologized for the incident and initiated an internal investigation into how their Chrome Web Store account was compromised. The company criticized Google’s security practices, specifically the removal of publisher signatures for Chrome extensions, which they argued eliminated a critical safeguard against unauthorized uploads. MEGA.nz emphasized that their other products—including MEGAsync desktop clients, Firefox extensions, and cryptographically signed mobile apps—remained secure due to differing distribution and signing methodologies. Users were advised to reset compromised passwords and transfer cryptocurrency funds to new wallets, reflecting the severity of potential unauthorized access to both traditional accounts and digital assets.