ShieldGuard Cryptocurrency Scam Dismantled by Okta Threat Intelligence

A recent cybersecurity operation has brought down a cryptocurrency scam known as ShieldGuard. The malicious browser extension, designed to harvest sensitive user data, was initially presented as a security tool aimed at protecting crypto wallets from phishing and harmful smart contracts.

Researchers identified the extension's true purpose after analyzing its capabilities, which included harvesting wallet addresses across all visited websites, capturing full HTML content from crypto platforms after login, tracking users persistently across sessions, and executing remote code via a command-and-control (C2) server.

The malware used obfuscation and a custom JavaScript interpreter to bypass Chrome security restrictions, allowing attackers to deliver and execute code dynamically without triggering standard protections. Further investigation showed the infrastructure enabled attackers to collect account balances, transaction histories, and portfolio data.