Fake imToken Chrome Extension Steals Seed Phrases via Phishing Redirects
Socket’s Threat Research Team has uncovered a malicious Chrome extension disguised as a hex color visualizer that silently redirects victims to a threat actor-controlled phishing site engineered to steal cryptocurrency wallet seed phrases and private keys.
The extension, named lmΤoken Chromophore (ID: bbhaganppipihlhjgaaeeeefbaoihcgi) was published on February 2, 2026, and remained live on the Chrome Web Store at the time of reporting, with 39 weekly active users, fabricated 5-star ratings, and a privacy policy falsely claiming no data collection.
SlowMist’s Chief Information Security Officer, 23pds, issued an independent warning on March 6, 2026, corroborating the threat.
The attack begins the moment a victim installs the extension. Instead of launching any color tool utility, the extension’s background.js fetches a destination URL from a hardcoded JSONKeeper dead-drop endpoint (jsonkeeper[.]com/b/KUWNE).
Automatically opens a new browser tab pointing to the lookalike domain chroomewedbstorre-detail-extension[.]com. This same redirect fires every time the user clicks the extension icon, ensuring persistent exposure of victims to threat actor-controlled infrastructure.
The phishing landing page impersonates imToken’s wallet import flow using mixed-script Unicode homoglyphs in the spoofed title. іmΤоken, i and o are Cyrillic characters, while the T is Greek, and in Sееd-Phrase, both e The characters are Cyrillic. This deliberate substitution defeats simple text-matching detections, URL-based filters, and casual manual review.
Once on the phishing page, victims are funneled into one of two credential-capture paths: a mnemonic path requesting a 12 or 24-word seed phrase, or a private key path requesting plaintext wallet credentials.
The page loads external JavaScript files, including. sjcl-bip39.js, wordlist_english.js, jsbip39.js, and formScript.js hosted on compute-fonts-appconnect.pages[.]dev, likely supporting mnemonic validation and form processing.
After credential submission, a fake password setup screen and a “wallet upgrading” loading animation sustain the illusion of a legitimate import flow. The sequence ends by opening the real token.im site as a decoy tab, reassuring the victim while the threat actor has already captured the wallet secret.
imToken confirmed it currently exists only as a mobile app and has never released a Chrome extension. Its January 2026 security notice explicitly warned that fake Chrome extensions had already caused user losses. Socket has reported the extension and its associated publisher account (liomassi19855@gmail[.]com) to Google for removal.
- Verify wallet software exclusively through official vendor channels; imToken confirms it has no Chrome extension.
- Restrict browser extension installs in sensitive or work-related browser profiles and enforce allowlists.
- Alert on extensions whose primary runtime behavior involves fetching remote content and opening external URLs on install
- Hunt for homoglyph-based domains, dead-drop configuration endpoints (e.g., JSONKeeper), and externally hosted JavaScript tied to wallet import flows.
- Treat any wallet as compromised if a seed phrase or private key was entered on an unverified page. Rotate to new keys on a clean device immediately.
- Use Chrome extension protection to surface risk signals before deploying extensions in development or enterprise environments.
The extension itself contained no local theft logic, only a fetcher and a redirector. Defenders should expect more lightweight browser extension lures that outsource all credential capture to remote, swappable infrastructure, making extension-level inspection alone insufficient without accompanying network and domain analysis.
Site: https://cybersecuritypath.com
About the Author
