Malicious imToken Chrome Extension Steals Crypto Wallet Seed Phrases and Private Keys
Malicious Chrome Extension Impersonates imToken to Steal Cryptocurrency Wallet Credentials
A recently discovered malicious Google Chrome extension, masquerading as a legitimate tool, has been found to be stealing sensitive cryptocurrency wallet information, including mnemonic seed phrases and private keys. The extension, named “lmΤoken Chromophore,” poses as a simple Hex Color Visualizer tool but, in reality, impersonates the popular non-custodial cryptocurrency wallet brand imToken.
Launched in 2016, imToken has gained over 20 million users worldwide, making it an attractive target for phishing campaigns. The official imToken team has clarified that their platform is only available as a mobile application and has never released any Chrome browser extension. Despite this, the malicious extension mimics the visual identity of the imToken brand to deceive users into entering their 12- or 24-word seed phrases or private keys, allowing attackers to gain immediate control of victims’ cryptocurrency wallets.
The extension was exposed on February 2, 2026, by a team of cybersecurity researchers. Upon installation, the extension does not perform its advertised color-picking functionality but instead operates as a redirect mechanism. Its background code retrieves a target website from a hardcoded remote endpoint hosted on JSONKeeper and automatically opens a new browser tab redirecting the user to the attacker’s infrastructure.
The initial redirect sends victims to a fraudulent domain, chroomewedbstorre-detail-extension[.]com, which employs Unicode homoglyph techniques to evade automated security scanners. Once users reach the phishing page, they are presented with a fake wallet import interface powered by external JavaScript files. The page prompts users to enter their seed phrase or private key, and after collecting this sensitive information, attackers maintain the illusion of legitimacy by asking users to set a local password and displaying a fake “upgrading” loading screen.
To bypass security measures, attackers use Unicode homoglyph techniques, replacing normal Latin letters with visually similar Cyrillic and Greek characters. This helps evade simple text-matching detection systems. Finally, victims are redirected to the official token.im website, reducing suspicion while attackers quietly drain funds from the compromised wallets.
Remediation and Indicators of Compromise (IOC)
Security experts advise organizations to scrutinize browser extensions with the same level of security checks applied to third-party software. Companies are also encouraged to restrict extension installations in sensitive browser environments. Users should exercise extreme caution when installing browser extensions and rely only on trusted and official sources.
If a user has entered a seed phrase, private key, or wallet password on a suspected phishing page, the wallet should be treated as fully compromised, and funds should be immediately transferred to a new secure wallet. Security teams should monitor for the following Indicators of Compromise (IOCs):
- Malicious Extension ID: bbhaganppipihlhjgaaeeeefbaoihcgi
- Publisher: liomassi19855@gmail[.]com
- Phishing Domain: chroomewedbstorre-detail-extension[.]com
- Remote Configuration Payload: jsonkeeper[.]com/b/KUWNE
- Malicious Script Infrastructure: compute-fonts-appconnect.pages[.]dev
About Author
English