Article Title:
Malicious imToken Chrome Extension Deceives Users, Steals Cryptocurrency Wallet Credentials
Article Text:
In a recent cybersecurity development, a deceptive Google Chrome extension named “lmΤoken Chromophore” has been identified as a significant threat to cryptocurrency users. Disguised as a benign hex color visualizer, this extension impersonates the reputable non-custodial wallet brand, imToken, to illicitly obtain users’ wallet credentials.
Background on imToken and the Threat
Since its inception in 2016, imToken has garnered a global user base exceeding 20 million, establishing itself as a trusted platform in the cryptocurrency community. This widespread trust makes it an attractive target for cybercriminals aiming to exploit its reputation. The official imToken team has clarified that their services are exclusively available as a mobile application and have never been extended to a Chrome browser extension. Despite this, the malicious “lmΤoken Chromophore” extension has been designed to closely mimic imToken’s visual identity, thereby deceiving users into believing its authenticity.
Discovery and Deceptive Practices
The extension was brought to light by Socket’s Threat Research Team on February 2, 2026. It cunningly presents itself with fake five-star reviews and a fraudulent privacy policy that falsely claims no data collection, all to build a facade of legitimacy. Once installed, the extension disregards its purported color-picking functionality and instead operates as a redirector. It fetches a target website from a hardcoded remote endpoint hosted on JSONKeeper and opens a new browser tab directed to the attacker’s infrastructure. This mechanism allows the attackers to modify the phishing destination without needing to update the extension code in the Chrome Web Store.
Phishing Workflow and Evasion Tactics
Upon installation, the extension initiates a series of deceptive actions:
1. Redirect to Phishing Domain: Users are redirected to a deceptive domain, `chroomewedbstorre-detail-extension[.]com`, which employs mixed-script Unicode homoglyphs. This technique involves substituting standard Latin letters with visually similar Cyrillic and Greek characters in the page title and import path, effectively evading simple text-matching detection systems.
2. Fraudulent Wallet Import Interface: The phishing page presents a counterfeit wallet import interface, utilizing external JavaScript files like `sjcl-bip39.js` and `wordlist_english.js`. Users are prompted to input their secret mnemonic seed phrase or private key.
3. Illusion of Legitimacy: After harvesting the sensitive data, the workflow instructs users to set a local password and displays a fake “upgrading” loading screen.
4. Redirection to Official Site: To minimize suspicion, the sequence concludes by redirecting the victim to the official `token.im` website, while the attackers clandestinely drain the compromised accounts.
Remediation and Threat Indicators
To mitigate such threats, security teams are advised to:
– Scrutinize Browser Extensions: Apply the same level of scrutiny to browser extensions as is applied to traditional third-party software.
– Restrict Extension Installations: Limit the installation of extensions in sensitive browser profiles.
– Verify Software Sources: Always download wallet software through official vendor distribution channels.
– Respond to Compromises: If a seed phrase, private key, or wallet password has been entered into a suspected phishing page, consider the wallet completely compromised and promptly transfer funds to new, secure keys.
Security tools should monitor for extensions that primarily fetch remote content and open external destinations. Analysts should integrate the following Indicators of Compromise (IOCs) into their detection pipelines:
– Malicious Extension ID: bbhaganppipihlhjgaaeeeefbaoihcgi
– Publisher Email Address: liomassi19855@gmail[.]com
– Primary Phishing Landing Page: chroomewedbstorre-detail-extension[.]com
– Remote Configuration Payload: jsonkeeper[.]com/b/KUWNE
– Malicious Script Infrastructure: compute-fonts-appconnect.pages[.]dev
Conclusion
The emergence of the “lmΤoken Chromophore” extension underscores the evolving tactics of cybercriminals in targeting cryptocurrency users. By masquerading as trusted applications and employing sophisticated evasion techniques, these malicious actors pose significant risks to digital asset security. Users must remain vigilant, verify the authenticity of browser extensions, and adhere to best practices in safeguarding their cryptocurrency holdings.
