AdsPower develops an antidetect browser designed to allow a single user to manage multiple disconnected online profiles. The product creates a unique browser fingerprint for each profile, making it more difficult for websites to determine that all of the profiles belong to the same person. It also offers a wide range of other functions, including the ability to manage multiple crypto wallets for its various profiles.

The January 2025 security incident began when the attackers replaced the download of the cryptocurrency wallet browser plugin with a malicious version on January 21st. The company discovered the intrusion on January 24th and took action to replace the malicious plugins with legitimate code. After discovering the issue, the team advised users to reinstall a clean version of the plugin and transfer cryptocurrency to a new, secure wallet.

However, any user who downloaded the plugin or updated to the malicious version during those three days was infected with the malicious version of the plugin. Since this plugin allowed the management of cryptocurrency wallets, the attacker was able to access mnemonic phrases and private keys managed using the malicious code. With these, the attacker had full control over the user’s on-chain account, enabling them to drain value from it.

In total, an estimated $4.7 million was stolen from users of the wallet. This included losses from five different wallets whose owners downloaded the malicious version of the code.

The AdsPower hack shows how dangerous and effective off-chain attacks can be. The attackers identified a vulnerability in the company’s IT infrastructure that they used to replace a legitimate plugin with info-stealing malware. Since this plugin had access to mnemonic phrases and private keys, this attack resulted in millions in lost crypto.

Conventional wisdom says to verify the authenticity of software before trusting it with sensitive data; however, the AdsPower attackers compromised the legitimate distribution channels for an application. Instead, this incident underscores the value of cold storage, multi-signature wallets, and other private key security best practices for protecting high-value accounts against compromised keys and the theft of the crypto that they contain.