Skip to article
Security Alert
Emergent Story mode

Now reading

Overview

1 / 5 3 min 1 sources Single Outlet
Sources

Story mode

Security AlertSingle OutletBlindspot: Single outlet risk

Malicious Chrome Extension Targets Crypto Users

QuickLens Compromised to Steal Cryptocurrency from Thousands

Read
3 min
Sources
1 source
Domains
1

A malicious Chrome extension, QuickLens - Search Screen with Google Lens, was removed from the Chrome Web Store after it was compromised to steal cryptocurrency from thousands of users. The extension, which allowed...

Story state
Structured developing story
Evidence
Evidence mapped
Coverage
0 reporting sections
Next focus
What comes next

Continue in the field

Focused storyNearby context

Open the live map from this story.

Carry this article into the map as a focused origin point, then widen into nearby reporting.

Leave the article stream and continue in live map mode with this story pinned as your origin point.

  • Open the map already centered on this story.
  • See what nearby reporting is clustering around the same geography.
  • Jump back to the article whenever you want the original thread.
Open live map mode

Source bench

Blindspot: Single outlet risk

Single Outlet

1 cited references across 1 linked domains.

References
1
Domains
1

1 cited reference across 1 linked domain. Blindspot watch: Single outlet risk.

  1. Source 1 · Fulqrum Sources

    QuickLens Chrome extension steals crypto, shows ClickFix attack

Open source workbench

Keep reporting

ContradictionsEvent arcNarrative drift

Open the deeper evidence boards.

Take the mobile reel into contradictions, event arcs, narrative drift, and the full source workspace.

  • Scan the cited sources and coverage bench first.
  • Keep a blindspot watch on Single outlet risk.
  • Move from the summary into the full evidence boards.
Open evidence boards

Stay in the reporting trail

Open the evidence boards, source bench, and related analysis.

Jump from the app-style read into the deeper workbench without losing your place in the story.

Open source workbenchBack to Security Alert
🔒 Security Alert

Malicious Chrome Extension Targets Crypto Users

QuickLens Compromised to Steal Cryptocurrency from Thousands

By Emergent News Desk

Sunday, March 1, 2026 • 3 min read • 1 source reference

  • 3 min read
  • 1 source reference

A malicious Chrome extension, QuickLens - Search Screen with Google Lens, was removed from the Chrome Web Store after it was compromised to steal cryptocurrency from thousands of users. The extension, which allowed users to run Google Lens searches directly in their browser, had gained a significant following, with around 7,000 users and a featured badge from Google.

However, on February 17, 2026, a new version (5.8) of the extension was released, containing malicious scripts that introduced ClickFix attacks and info-stealing functionality. This development marked a significant turning point in the extension's history, transforming it from a legitimate tool to a malicious entity.

According to security researchers at Annex, the extension's ownership changed hands on February 1, 2026, when it was listed for sale on ExtensionHub, a marketplace where developers sell browser extensions. The new owner, listed as support@doodlebuggle.top under "LLC Quick Lens," updated the extension's privacy policy, hosting it on a barely functional domain.

The malicious version of the extension was designed to target cryptocurrency users, attempting to steal their sensitive information and assets. The ClickFix attack, a type of malware, was used to deceive users into divulging their login credentials and other sensitive data.

The compromise of QuickLens highlights the risks associated with third-party browser extensions. While these extensions can provide useful functionality, they can also pose significant security risks if not properly vetted and maintained.

Google's Chrome Web Store has faced criticism in the past for its handling of malicious extensions. In 2020, the company removed over 500 malicious extensions from the store after they were found to be stealing user data and executing malicious scripts.

The incident serves as a reminder for users to exercise caution when installing browser extensions, even those with high ratings and large user bases. It is essential to carefully review an extension's permissions, read user reviews, and monitor its behavior for any suspicious activity.

In response to the incident, Google removed the malicious extension from the Chrome Web Store, and users are advised to uninstall the extension and reset their browser settings. The company has also taken steps to improve its extension review process, including the use of artificial intelligence and machine learning to detect malicious activity.

As the use of browser extensions continues to grow, it is crucial for developers, users, and platform providers to prioritize security and work together to prevent similar incidents in the future.

In the wake of the QuickLens compromise, users are advised to remain vigilant and take steps to protect themselves from malicious extensions. This includes:

  • Carefully reviewing an extension's permissions and user reviews before installation
  • Monitoring extension behavior for suspicious activity
  • Keeping browser and extension software up to date
  • Using strong, unique passwords and enabling two-factor authentication
  • Regularly scanning for malware and other security threats

By taking these precautions, users can reduce the risk of falling victim to malicious browser extensions and protect their sensitive information and assets.

A malicious Chrome extension, QuickLens - Search Screen with Google Lens, was removed from the Chrome Web Store after it was compromised to steal cryptocurrency from thousands of users. The extension, which allowed users to run Google Lens searches directly in their browser, had gained a significant following, with around 7,000 users and a featured badge from Google.

However, on February 17, 2026, a new version (5.8) of the extension was released, containing malicious scripts that introduced ClickFix attacks and info-stealing functionality. This development marked a significant turning point in the extension's history, transforming it from a legitimate tool to a malicious entity.

According to security researchers at Annex, the extension's ownership changed hands on February 1, 2026, when it was listed for sale on ExtensionHub, a marketplace where developers sell browser extensions. The new owner, listed as support@doodlebuggle.top under "LLC Quick Lens," updated the extension's privacy policy, hosting it on a barely functional domain.

The malicious version of the extension was designed to target cryptocurrency users, attempting to steal their sensitive information and assets. The ClickFix attack, a type of malware, was used to deceive users into divulging their login credentials and other sensitive data.

The compromise of QuickLens highlights the risks associated with third-party browser extensions. While these extensions can provide useful functionality, they can also pose significant security risks if not properly vetted and maintained.

Google's Chrome Web Store has faced criticism in the past for its handling of malicious extensions. In 2020, the company removed over 500 malicious extensions from the store after they were found to be stealing user data and executing malicious scripts.

The incident serves as a reminder for users to exercise caution when installing browser extensions, even those with high ratings and large user bases. It is essential to carefully review an extension's permissions, read user reviews, and monitor its behavior for any suspicious activity.

In response to the incident, Google removed the malicious extension from the Chrome Web Store, and users are advised to uninstall the extension and reset their browser settings. The company has also taken steps to improve its extension review process, including the use of artificial intelligence and machine learning to detect malicious activity.

As the use of browser extensions continues to grow, it is crucial for developers, users, and platform providers to prioritize security and work together to prevent similar incidents in the future.

In the wake of the QuickLens compromise, users are advised to remain vigilant and take steps to protect themselves from malicious extensions. This includes:

  • Carefully reviewing an extension's permissions and user reviews before installation
  • Monitoring extension behavior for suspicious activity
  • Keeping browser and extension software up to date
  • Using strong, unique passwords and enabling two-factor authentication
  • Regularly scanning for malware and other security threats

By taking these precautions, users can reduce the risk of falling victim to malicious browser extensions and protect their sensitive information and assets.

Coverage tools

Sources, context, and related analysis

Visual reasoning

How this briefing, its evidence bench, and the next verification path fit together

A server-rendered QWIKR board that keeps the article legible while showing the logic of the current read, the attached source bench, and the next high-value reporting move.

Cited sources

0

Reasoning nodes

3

Routed paths

2

Next checks

1

Reasoning map

From briefing to evidence to next verification move

SSR · qwikr-flow

Story geography

Where this reporting sits on the map

Use the map-native view to understand what is happening near this story and what adjacent reporting is clustering around the same geography.

Geo context
0.00° N · 0.00° E Mapped story

This story is geotagged, but the nearby reporting bench is still warming up.

Continue in live map mode

Coverage at a Glance

1 source

Compare coverage, inspect perspective spread, and open primary references side by side.

Linked Sources

1

Distinct Outlets

1

Viewpoint Center

Not enough mapped outlets

Outlet Diversity

Very Narrow
0 sources with viewpoint mapping 0 higher-credibility sources
Coverage is still narrow. Treat this as an early map and cross-check additional primary reporting.

Coverage Gaps to Watch

  • Single-outlet dependency

    Coverage currently traces back to one domain. Add independent outlets before drawing firm conclusions.

  • No high-credibility anchors

    No source in this set reaches the high-credibility threshold. Cross-check with stronger primary reporting.

Read Across More Angles

Check the live asymmetry watch

Frontier can tell you whether this story’s lane is thin, transport-monoculture, or missing stronger anchors right now.

Open frontier →

Audit how this story fits your mix

Reader Lens now tracks source-dossier and lane visits, so you can see whether this story expands your overall reading behavior or reinforces a rut.

Open Reader Lens →

Source-by-Source View

Search by outlet or domain, then filter by credibility, viewpoint mapping, or the most-cited lane.

Showing 1 of 1 cited sources with links.

Unmapped Perspective (1)

bleepingcomputer.com

QuickLens Chrome extension steals crypto, shows ClickFix attack

Open

bleepingcomputer.com

Unmapped bias Credibility unknown Dossier
Fact-checked Real-time synthesis Bias-reduced

This article was synthesized by Fulqrum AI from 1 trusted sources, combining multiple perspectives into a comprehensive summary. All source references are listed below.