Note that no URL has ever been captured for help-tools.org
Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose:
Domain Name: HELP-TOOLS.ORG
Registry Domain ID: D402200000008508823-LROR
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: www.namesilo.com
Updated Date: 2018-12-06T08:04:10Z
Creation Date: 2018-12-02T06:52:52Z
The domain was registered last Sunday and was already hardcoded into the malware's source. No way it could've been hacked in this period - it's deliberate.
As expected the specific whois is anonymized:
Registrant Email: pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: See PrivacyGuardian.org
Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255
Emails sent to pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org should reach the malware author though.
Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose:
Domain Name: HELP-TOOLS.ORG
Registry Domain ID: D402200000008508823-LROR
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: www.namesilo.com
Updated Date: 2018-12-06T08:04:10Z
Creation Date: 2018-12-02T06:52:52Z
The domain was registered last Sunday and was already hardcoded into the malware's source. No way it could've been hacked in this period - it's deliberate.
As expected the specific whois is anonymized:
Registrant Email: pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: See PrivacyGuardian.org
Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255
Emails sent to pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org should reach the malware author though.
Did you include a pixel tracker in that? If they open the email and their email service provider doesn't block it, you'll get their IP address which may be useful to connect/identify the user.
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google 
How is the situation for Firefox extensions?
I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..
How is the situation for Firefox extensions?
I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..
Quite the contrary, it's actually far easier to build & market a chrome extension (or FF) when compared to system level executable.
Let's face it, any script kiddie can basically build one with junior-level knowledge of Javascript.
If Google isn't checking the source, virtually no plugin/extension is 100% safe. I wouldn't be surprised if non-bitcoin related chrome extensions are built just waiting to pickup on Bitcoin related traffic.