ShapeShift Security Update: KeepKey Client

ShapeShift owns and operates the reputable hardware wallet known as KeepKey. It has come to our attention that a malicious actor published a malicious KeepKey extension on the Google Chrome app store. This malicious extension is designed to look like our legitimate KeepKey extension, which is also available in the Google Chrome app store. When a user installs the malicious extension, they are asked to enter their wallet seed phrase, which can be used to unlock the funds on a KeepKey.

This is different from how KeepKey’s extension works: our extension never asks the user to enter their wallet seed phrase. At the time of this post, we know of at least one unsuspecting KeepKey user who apparently entered their seed phrase into this malicious extension - resulting in the phrase being sent to the attacker. The user’s cryptocurrency was then stolen by the malicious actor or actors now in possession of the user’s seed phrase. 

ShapeShift has taken swift action to combat this malicious software. Our team has filed multiple reports with the Google Chrome app store requesting the removal of the malicious extension. We have also located the hosting service that is hosting the website to which seed phrases were sent and filed the appropriate requests. We have reported this bad actor to the Federal Bureau of Investigation in order to further protect our users. Unfortunately, this is a cat and mouse game consisting of moving targets as new malicious extensions are being detected daily.

As a KeepKey user, you can help to protect your funds by:

• Using the official link for the ShapeShift KeepKey Client
• Always verifying URLs, extensions, and software before installing and executing
• Pairing your KeepKey with ShapeShift.com website instead of an app
  

ShapeShift is committed to ensuring our users stay educated on how to keep their funds safe. Our teams have been working diligently with other affected cryptocurrency companies, legal entities, web hosting companies, and the Google Chrome App Store to help combat this threat.

ShapeShift Resources:‍

‍ShapeShift’s KeepKey Client:
https://chrome.google.com/webstore/detail/keepkey-client/idgiipeogajjpkgheijapngmlbohdhjg

ShapeShift Help Center:
https://keepkey.zendesk.com/hc/en-us/articles/360001411570-Getting-Started-Initializing-Your-KeepKey-Device

Additional Resources:‍

• ‍Discovering Fake Browser Extensions That Target Users of Ledger, Trezor, MEW, Metamask, and More
• 49 New Google Chrome Extensions Caught Hijacking Cryptocurrency Wallets