AdsPower Browser Extension Code Injection Supply Chain Attack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

AdsPower Logo/Graphic/Homepage

AdsPower, a secure antidetect browser, suffered a security breach when hackers exploited a vulnerability in a third-party technical service, tampering with MetaMask wallet plugins distributed through AdsPower's platform. This breach potentially exposed users' sensitive information, with estimated losses ranging from $4.1M to $4.7M. The company quickly removed the compromised plugins and reported the incident to Singapore law enforcement, while collaborating with external security experts. However, the community reacted with frustration, demanding more transparency, clearer details on the affected plugins, and a better response to prevent future breaches, including concerns over a lack of compensation and accountability.[1][2][3][4][5][6][7][8][9][10][11][12]

About AdsPower

AdsPower is a secure antidetect browser designed for managing multiple online accounts without the risk of being detected or banned by platforms like Facebook, Google, TikTok, and Amazon. It creates unique, customizable browser fingerprints for each user to maintain privacy and avoid detection. AdsPower offers features such as encrypted data storage, automated operations, and seamless multi-account management using Chrome or Firefox stealth browsers. With advanced security settings like two-factor authentication (2FA), abnormal login interception, and a bug bounty program, AdsPower aims to ensure the highest level of security for online activities in industries like e-commerce, affiliate marketing, cryptocurrency, and web scraping.

AdsPower, founded in 2019 in Hong Kong, is a leading antidetect browser designed to help businesses manage multiple accounts securely and avoid bans. It enables users to control their browser fingerprints and safely interact with various platforms. AdsPower’s journey has seen rapid growth, from a beta product to a global platform with over 5 million users by 2024. The company prioritizes customer experience, open communication, and innovation, constantly optimizing its products like SunBrowser and FlowerBrowser. With features such as the Synchronizer and Linux support, AdsPower has expanded globally, providing enhanced security for users across industries.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

AdsPower experienced a breach in January 2025, where hackers spread malicious code through third-party browser plugins, compromising 5 user wallets.

Key Event Timeline - AdsPower Browser Extension Code Injection Supply Chain Attack
Date Event Description
January 21st, 2025 3:00:00 AM MST Reported Start Of Breach The reported start of the breach period, according to ChainCatcher. If you installed of upgraded the AdsPower browser extension after this point, your funds were at risk.
January 24th, 2025 3:00:00 AM MST Reported End Of Breach The reported end of the breach period, which is when AdsPower presumably became aware of the issue and remove the malicious versions of the browser extension.
January 26th, 2025 7:07:00 PM MST AdsPower Announcement Posted In a Chinese tweet, the AdsPower team announces that on January 24, 2025, their security team discovered an intrusion involving hackers spreading malicious code through tampered third-party browser plug-ins. The team quickly addressed the issue by cutting off the hacker's access and removing potentially risky plug-ins. The case has been reported to Singapore law enforcement, and the investigation is ongoing. AdsPower thanked external experts, including SlowMist Technology, Certik, and top Singaporean consultants, for their assistance in identifying hacker wallet addresses and alerting relevant platforms. Risk reports have been submitted to domain name administrator NameCheap. The company expressed gratitude for community support and reassured users that safety remains a top priority as they continue to work with experts to resolve the situation, with updates to follow.
January 26th, 2025 7:13:00 PM MST AdsPower Update Posted AdsPower provides a further update that the AdsPower client and various browser environments are safe to use. Users are advised to transfer assets from their old wallet if they receive a pop-up notification and reinstall the official plug-in through the Chrome web store. For any additional questions regarding safe usage, users can contact online customer service for support.
February 11th, 2025 12:14:00 AM MST AdsPower February Update AdsPower provides an update that the technical investigation into the January 24, 2025, security incident is still ongoing. The attack involved hackers spreading malicious code to tamper with third-party wallet plugins. The technical team acted quickly to clear the malicious code and block the attack channels. External experts, including SlowMist Technology and top consultants from Singapore, are assisting with the investigation, while the team is in close contact with local authorities. Users are advised to reinstall the affected plugins via the Chrome Web Store and transfer assets to secure wallets. AdsPower is prioritizing user data and security, implementing measures like server upgrades, enhanced monitoring, and emergency response teams. The company remains committed to improving security and will continue to communicate updates transparently.
March 12th, 2025 2:52:00 AM MDT AdsPower March Update AdsPower provides another update regarding the January 24, 2025, security breach, where hackers tampered with third-party MetaMask wallet plugins in AdsPower's fingerprint browser. The team promptly fixed the vulnerabilities, strengthened system security, and reported the incident to Singapore authorities, cooperating with their investigation. Affected users have been offered a "User Experience Value-Added Service Plan." The attack's origin has been traced to a flaw in a third-party service, with malicious MetaMask plugins being distributed. AdsPower has upgraded its app center to directly link to the Chrome Web Store for plugin downloads and plans further security improvements. The company remains committed to user safety and appreciates the patience and support of its users.

Technical Details

The breach occurred when hackers exploited a vulnerability in a third-party technical service system used by AdsPower, which allowed them to upload and distribute maliciously altered MetaMask wallet plugins. These compromised plugins were then spread through AdsPower's fingerprint browser, affecting certain users. The malicious code tampered with the browser extensions, and the attackers may have been able to access sensitive information, such as wallet data. The issue was detected on January 24, 2025, and AdsPower's technical team acted quickly to remove the malicious plugins, block the attack channels, and secure the system.

Total Amount Lost

ChainCatcher has estimated the losses as being at least $4.1m based on on-chain analysis.

Many others such as SlowMist and Halborn quote $4.7m USD. Halborn reports that only 5 users were affected.

The total amount lost has been estimated at $4,700,000 USD.

Immediate Reactions

The AdsPower team announces on Twitter/X that on the evening of January 24, 2025, their security team identified a breach involving hackers spreading malicious code through tampered third-party browser plug-ins. The technical team acted swiftly to contain the issue by severing the hacker's access and removing all potentially risky plug-ins. The incident has been reported to Singapore law enforcement, and an investigation is ongoing.

The team expresses gratitude to external experts like SlowMist Technology, Certik, and Singapore's leading technical consultants for their support. These experts have helped identify hacker wallet addresses and alerted major trading platforms and project teams about the risks. Additionally, risk reports have been submitted to domain name administrator NameCheap for domains linked to malicious activities.

AdsPower thanks the community for their support and reassures users that safety remains their priority. They continue to work with third-party experts to resolve the situation and will update the community with further progress.

The community's reaction to the AdsPower incident has been mixed, with many users expressing frustration and skepticism. Some have questioned the company's response, demanding more transparency regarding the affected plugins, how the attack occurred, and what measures are being taken to prevent future breaches. Concerns have been raised about the lack of a clear compensation plan, with some users warning others not to accept the offered "User Experience Value-Added Service," fearing it could limit future accountability. Others are critical of AdsPower's decision to report the incident to Singapore authorities instead of handling it locally, and some have asked for specific details about the hack, such as which plugins were affected and how the hackers gained access. Overall, there is a strong demand for clearer communication, transparency, and a more robust response to the security breach.

"The AdsPower security team discovered a breach in which hackers distributed malicious code, resulting in the compromise of some third-party browser extensions."

Ultimate Outcome

The browser extension was updated. AdsPower continues to provide updates approximately monthly.

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

Investigation to attempt to recover the funds is ongoing.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. AdsPower Initial Notice - Twitter/X (Accessed Mar 13, 2025)
  2. AdsPower Initial Notice Amendment - Twitter/X (Accessed Mar 13, 2025)
  3. AdsPower February Update - Twitter/X (Accessed Mar 13, 2025)
  4. AdsPower Homepage (Accessed Mar 13, 2025)
  5. About AdsPower - AdsPower (Accessed Mar 13, 2025)
  6. The stolen funds from the AdsPower intrusion incident are concentrated in four addresses, exceeding 4.1 million dollars - ChainCatcher (Accessed Mar 13, 2025)
  7. Explained: The AdsPower Hack (January 2025) - Halborn (Accessed Mar 13, 2025)
  8. AdsPower Addresses Security Breach Involving Malicious Wallet Plugins - Binance News (Accessed Mar 13, 2025)
  9. Risky Bulletin: Supply chain attack at AdsPower browser platform - RiskyBiz (Accessed Mar 13, 2025)
  10. https://skynet.certik.com/projects/adspower (Accessed Mar 13, 2025)
  11. SlowMist Cosine: Over $4.7 million stolen in AdsPower hack - PANews (Accessed Mar 13, 2025)
  12. EvilCos - "Pay attention to this. AdsPower Fingerprint Browser transparently disclosed an intrusion incident. If you are using AdsPower and have installed an extended wallet or manually updated the extended wallet between 18:00 on January 21 and 1...ter/X (Accessed Mar 13, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=AdsPower_Browser_Extension_Code_Injection_Supply_Chain_Attack&oldid=6634"