Deceptive Chrome Extension Targeting Cryptocurrency Users Uncovered
Socket’s Threat Research Team has brought to light a cunningly deceptive Google Chrome extension that is designed specifically to steal private keys and seed phrases from unsuspecting cryptocurrency users. This malicious add-on, known as “lmΤoken Chromophore” (extension ID: bbhaganppipihlhjgaaeeeefbaoihcgi), cleverly disguises itself as a harmless hex color visualizer aimed at developers and digital artists.
The nefarious extension impersonates the popular non-custodial wallet brand, imToken, which has garnered over 20 million users since its inception in 2016, spanning more than 150 countries. However, the legitimate imToken wallet is exclusively mobile and has never issued a Chrome extension, rendering it a prime target for cybercriminals who exploit brand recognition to deceive users.
Upon installation, the malicious browser extension immediately initiates its stealthy attack, especially when users click on its icon. It operates under the guise of legitimacy, fostering an environment of trust. Socket’s Threat Research Team has also observed that the malicious storefront listing capitalizes on this vulnerability by showcasing fake user reviews rated at five stars and utilizing official branding imagery associated with the legitimate wallet to mislead potential victims effectively.
In an effort to appear credible, the extension includes a privacy policy that claims to engage in zero data collection. This tactic is intended to assuage any concerns users might have before they delve further into the code behind the extension.
Technical Breakdown of the Phishing Scheme
The underlying attack strategy employed by the threat actors relies on advanced evasion techniques aimed at bypassing both automated detection tools and human scrutiny. Rather than incorporating clear logic for local data theft within the extension itself, the malware operates primarily as a lightweight browser redirector.
When installed, the extension’s background JavaScript quietly retrieves a URL from a hardcoded external configuration endpoint hosted on JSONKeeper, subsequently redirecting the victim to a phishing site that mimics the official website but is actually operated by the hackers. This site is hosted on a deceptive lookalike domain, chroomewedbstorre-detail-extension.com, which adds another layer of confusion and distrust.
To evade detection, the attackers utilize mixed-script Unicode homoglyphs to circumvent basic text-matching and URL-based security filters. For instance, the phishing landing page displays “іmΤоken” instead of “imToken,” using visually identical Cyrillic and Greek characters to create a convincing façade.
Once users land on this deceptive page, they encounter an interface designed to mirror the legitimate wallet’s import feature. Victims are then prompted to input their 12 or 24-word seed phrases or plaintext private keys into the attackers’ fraudulent infrastructure, effectively allowing the criminals immediate control over their cryptocurrency holdings.
To keep victims unaware of the ongoing theft, the phishing workflow transitions to a fake local password setup screen that mimics genuine onboarding behavior, collecting additional credentials for future exploitation. Ultimately, users are led to believe they successfully engaged with authentic imToken software by being redirected to the legitimate token.im site, further obscuring the deception.
Indicators and Mitigation Strategies
Security analysts are urged to maintain heightened vigilance against browser extensions that execute remote commands or open external domains unexpectedly upon installation. Given that the attackers are using off-box control methods, it is straightforward for them to pivot their infrastructure or target new victims without necessitating updates to the extension.
Key Indicators of Compromise (IoCs) include the malicious extension ID (bbhaganppipihlhjgaaeeeefbaoihcgi), its name (lmΤoken Chromophore), the primary phishing domain (chroomewedbstorre-detail-extension.com), and the configuration endpoint (jsonkeeper.com/b/KUWNE).
To mitigate the risks associated with this type of phishing, both organizations and individual users should treat all browser extensions as inherently risky. Administrators must proactively restrict the installation of extensions in sensitive browser profiles and rigorously verify all cryptocurrency-related software through official vendor channels.
If users have inadvertently disclosed their seed phrases, private keys, or wallet passwords on any dubious page, the wallet must be considered compromised. Immediate action is necessary: users should transfer any remaining digital assets to a new wallet with fresh cryptographic keys to safeguard against potential theft.
In this age where cyber threats are becoming increasingly sophisticated, awareness and vigilant preventive measures are critical for safeguarding digital assets against malicious attacks.