Malicious Chrome Extensions Impersonate AI Assistants and Crypto Wallets to Steal Sensitive Data
Microsoft reported a campaign of malicious Chromium-based browser extensions masquerading as legitimate AI assistant tools to harvest LLM chat histories and browsing data, with reporting suggesting ~900,000 installs and Microsoft Defender telemetry indicating activity across 20,000+ enterprise tenants. The extensions collected full URLs and chat content from services including ChatGPT and DeepSeek, creating a high-risk data leakage path for proprietary code, internal workflows, and strategic discussions; Microsoft also noted cases where “agentic” browsers auto-downloaded these extensions, reducing user friction and increasing exposure.
Separately, Socket documented a fake imToken Chrome extension (bbhaganppipihlhjgaaeeeefbaoihcgi) that posed as a benign “hex color visualizer” but functioned as a phishing redirector: on install and on click it opened attacker-controlled pages, pulling a destination URL from jsonkeeper[.]com/b/KUWNE and sending victims to chroomewedbstorre-detail-extension[.]com to solicit 12/24-word seed phrases or private keys for wallet takeover. A Kaspersky post focused on consumer guidance for disabling unwanted AI features and broadly warned about privacy/security risks from pervasive AI assistants (including mention of insecure third-party “personal agent” setups), but it did not provide corroborated details tied to the specific malicious-extension campaigns described by Microsoft and Socket.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Unit 42 exposes 18 malicious AI-themed Chrome extensions
Palo Alto Networks Unit 42 reported 18 high-risk Chrome extensions masquerading as AI productivity tools that abused privileged browser capabilities to steal prompts, credentials, emails, API keys, and browsing data, with behaviors including remote access, adversary-in-the-browser surveillance, infostealing, spyware, and search hijacking. The researchers said Google was notified and either removed the extensions or warned their owners about policy violations.
DomainTools identifies malicious "ChatGPT Ad Blocker" Chrome extension
DomainTools reported a malicious Chrome extension named "ChatGPT Ad Blocker" that impersonated an ad blocker for ChatGPT but instead captured users’ ChatGPT conversations and exfiltrated them to a private Discord webhook. Researchers said the extension fetched remote configuration from GitHub every 60 minutes, injected code into ChatGPT pages, and was linked to the developer alias "krittinkalra."
Socket reports fake imToken extension to Google while it remains live
Socket disclosed that the fake imToken extension was still available in the Chrome Web Store with 39 weekly active users at the time of reporting. The company said it had reported both the extension and its publisher account to Google for removal.
Microsoft discloses technical details and mitigations for AI extension campaign
Microsoft published analysis of the malicious AI assistant extensions, describing their broad permissions, deceptive consent flows, local Base64-encoded JSON staging, and HTTPS exfiltration to attacker-controlled domains such as deepaichats[.]com and chatsaigpt[.]com. It also released mitigation guidance, Defender detections, and hunting queries for affected organizations.
Malicious AI assistant browser extensions reach large-scale distribution
Microsoft investigated a campaign involving malicious Chromium-based extensions impersonating AI assistant tools that harvested browsing data and LLM chat histories from services including ChatGPT and DeepSeek. The campaign reportedly reached about 900,000 installs and related activity was observed across more than 20,000 enterprise tenants.
Fake imToken Chrome extension is published to the Web Store
A malicious Chrome extension named “lmΤoken Chromophore,” impersonating the imToken wallet while posing as a color visualizer, was published in the Chrome Web Store. It used a redirector design to send users to attacker-controlled phishing pages that solicited seed phrases and private keys.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
That AI Extension Helping You Write Emails? It’s Reading Them First
unit42.paloaltonetworks.com
Open sourceMalicious Chrome Extension "ChatGPT Ad Blocker" Steals ChatGPT Conversations
cybersecuritynews.com
Open sourceMalicious AI Assistant Extensions Harvest LLM Chat Histories | Microsoft Security Blog
microsoft.com
Open sourceFake imToken Chrome Extension Steals Seed Phrases via Phishi...
socket.dev
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Chrome Extensions Used for Data Theft via Ownership Transfers and Impersonation
Multiple **malicious Chrome/Chromium extensions** were identified abusing the Chrome Web Store to steal data from users and enterprises. Two previously legitimate extensions—**QuickLens** (`kdenlnncndfnhkognokgfpabgkgehodd`) and **ShotBird** (`gengfhhkjekmlejbhmmopegofnoifnjp`)—reportedly turned malicious after **ownership transfers**, enabling downstream compromise through injected code and data harvesting. In the QuickLens case, researchers reported the malicious update preserved expected functionality while adding capabilities to **strip security headers** (e.g., `X-Frame-Options`) and facilitate script injection that can bypass **Content Security Policy (CSP)** protections, expanding the attacker’s ability to make cross-domain requests and collect sensitive information. Separately, Microsoft reported a campaign of **counterfeit “AI assistant” browser extensions** distributed via the Chrome Web Store (and therefore also impacting Microsoft Edge environments that allow Chrome extensions), which allegedly affected **20,000+ enterprise tenants** and amassed roughly **900,000 installs**. These extensions impersonated legitimate AI productivity tools and harvested **ChatGPT/DeepSeek conversation histories**, visited URLs, and browsing telemetry, staging data for exfiltration to attacker-controlled infrastructure. Another Chrome Web Store threat involved a fake **imToken**-branded extension (“lmΤoken Chromophore”) that masqueraded as a benign tool but redirected victims to phishing infrastructure to steal **seed phrases and private keys**, using tactics like hardcoded remote configuration (via JSONKeeper) and decoy navigation to the legitimate `token.im` site after credential capture.
Mar 21, 2026
Malicious and High-Risk AI-Powered Chrome Extensions Enable Account Hijacking and Phishing
Security researchers reported multiple risks tied to **AI-themed browser extensions** in the Chrome/Edge ecosystem, including active malicious campaigns. Malwarebytes identified **16 malicious extensions** (15 Chrome, 1 Edge) masquerading as ChatGPT “enhancers” that **steal ChatGPT session tokens**, enabling attackers to take over accounts and access conversation history and metadata; the extensions also exfiltrate additional telemetry (e.g., extension version/language and usage details) to help attackers profile victims and maintain longer-term access. Separately, Varonis described a new **malware-as-a-service** offering called **“Stanley”** that claims to reliably get **phishing-capable Chrome extensions** through Chrome Web Store review, using full-screen `iframe` overlays to present attacker-controlled login pages while the address bar continues to show the legitimate domain; it also advertises auto-install support across Chrome/Edge/Brave, a management panel, geo/IP targeting, and frequent C2 polling. In parallel with these overtly malicious cases, an Incogni study of **442 AI-powered Chrome extensions** found broad privacy and security exposure from over-privileged extensions (e.g., script injection and deep page access) and extensive data collection (52% collecting user data), highlighting that even popular tools (e.g., **Grammarly** and **QuillBot**) can present significant privacy risk due to the scope of permissions and data categories collected.
Mar 21, 2026
Malicious Chrome Extensions Stole Conversations From ChatGPT, Claude, Gemini, and DeepSeek
Researchers reported that several AI-themed browser extensions in official marketplaces covertly harvested user conversations from generative AI services including **ChatGPT, Claude, Copilot, Gemini, and DeepSeek**. G Data identified **Urban VPN**, **Smart Sidebar: ChatGPT, Claude and DeepSeek**, and **AI Assistant/Chat AI** as examples that remained outwardly functional while injecting scripts, intercepting requests, tampering with page content, or using hidden iframes to capture prompts and responses from visited AI sites. Investigators said the stolen data included conversation IDs, hostnames, timestamps, and full chat histories, with some payloads encoded in Base64 and sent to external servers. The extensions reportedly had strong ratings, large user bases, and in one case a Chrome Web Store **Featured** badge, underscoring how official store vetting can miss dynamic malicious behavior such as remote iframe communications; researchers warned that AI-focused extensions now expose a broad attack surface and urged enterprises to enforce strict extension allow-listing, minimize permissions, and remove unnecessary add-ons from systems accessing sensitive AI platforms.
Jun 15, 2026