lmΤoken Chromophore
lmΤoken Chromophore is a malicious Google Chrome extension that impersonates the imToken cryptocurrency wallet brand while posing as a hex color visualizer. Reported by Socket’s Threat Research Team, the extension’s primary purpose is credential theft: it redirects victims to attacker-controlled phishing pages that solicit 12-word or 24-word seed phrases and plaintext private keys, enabling immediate wallet takeover. The extension does not provide its advertised color-visualizer functionality; instead, it acts as a lightweight redirector.
The extension automatically opens a phishing site after installation and also when the user clicks the extension. Its background code retrieves the destination URL from a hardcoded remote JSONKeeper endpoint, allowing the operators to change phishing destinations without updating the Chrome Web Store package. Reported implementation details include use of chrome.runtime.onInstalled and chrome.action.onClicked listeners and chrome.tabs.create to open the fetched URL.
The phishing infrastructure uses mixed-script Unicode homoglyphs to mimic imToken branding and evade detection. Victims are sent to the lookalike domain chroomewedbstorre-detail-extension[.]com, where a fraudulent wallet import interface requests mnemonic seed phrases or private keys. The phishing pages load external JavaScript from compute-fonts-appconnect.pages[.]dev, including sjcl-bip39.js, wordlist_english.js, jsbip39.js, and formScript.js. After collecting secrets, the workflow asks the victim to set a local password, displays a fake wallet “upgrade” or loading screen, and then redirects or opens the legitimate token.im site as a decoy to reduce suspicion.
Known indicators and metadata directly mentioned in the reporting include Chrome extension ID bbhaganppipihlhjgaaeeeefbaoihcgi, publisher email liomassi19855@gmail[.]com, remote configuration URL jsonkeeper[.]com/b/KUWNE, phishing domain chroomewedbstorre-detail-extension[.]com, and script-hosting domain compute-fonts-appconnect.pages[.]dev. The analyzed extension version was 4.9.5. The extension was published on February 2, 2026, and had 39 weekly active users at the time of reporting. The official imToken team stated that imToken is only available as a mobile app and has never released a Chrome extension, and warned that fake Chrome extensions have caused user losses.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malicious Google Chrome extension masquerading as a hex color visualizer and impersonating the imToken wallet brand. It redirects victims to attacker-controlled phishing infrastructure to harvest 12/24-word seed phrases or plaintext private keys, then redirects to the legitimate token.im site as a decoy.
A malicious Chrome extension that masquerades as an imToken-related tool but functions primarily as a redirector: it fetches a destination URL from a hardcoded JSONKeeper endpoint and opens a threat actor-controlled lookalike site to phish for wallet recovery secrets (12/24-word seed phrases) or private keys, enabling crypto wallet takeover.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.