By rssfeeds-admin 
Masquerading as a harmless hex color visualizer, the extension actually impersonates the popular non-custodial wallet brand imToken.
Since its launch in 2016, imToken has served more than 20 million customers globally, making it a highly lucrative target for phishing campaigns.
The official imToken team has warned users that their platform is strictly a mobile application and they have never released a Chrome extension.
However, this malicious add-on lures victims by mirroring the trusted visual identity of the brand. Its true objective is to trick victims into handing over their 12 or 24-word seed phrases or plaintext private keys, which results in an immediate wallet takeover.
Published on February 2, 2026 by Socket’s Threat Research Team, the extension masks its danger behind fake five-star reviews and a fraudulent privacy policy claiming no data collection.
Phishing Workflow and Evasion Tactics
Upon installation, the extension completely ignores its advertised color-picking functionality. Instead, it acts as a lightweight redirector.
Its background code automatically fetches a target website from a hardcoded remote endpoint hosted on JSONKeeper. It then opens a new browser tab directed to the attacker’s infrastructure.
This setup allows the threat actors to easily change the phishing destination at any time without having to update the extension code in the Chrome Web Store.
token.im site as a decoy after the wallet secret has already been collected. (Source: Socket)The initial redirect sends victims to a deceptive phishing domain named chroomewedbstorre-detail-extension[.]com. To bypass automated security scanners and trick manual reviewers, the attackers use mixed-script Unicode homoglyphs.
By replacing standard Latin letters with visually identical Cyrillic and Greek characters in both the page title and the import path, the attackers easily evade simple text-matching detection systems.
Once on the phishing page, victims see a fraudulent wallet import interface powered by external JavaScript files like sjcl-bip39.js and wordlist_english.js.
The site prompts users to input their secret mnemonic seed phrase or private key. To maintain the illusion of legitimacy after harvesting the sensitive data, the workflow asks users to set a local password and displays a fake “upgrading” loading screen.
Finally, the attack sequence redirects the victim to the official token.im website, minimizing suspicion while the attackers secretly drain the compromised accounts.
Remediation and Threat Indicators
Security teams must scrutinize browser extensions with the same rigor applied to traditional third-party software. Organizations are strongly advised to restrict extension installations in sensitive browser profiles.
Users should always verify all wallet software through official vendor distribution channels. If any user has entered a seed phrase, private key, or wallet password into a suspected phishing page, they must treat the wallet as completely compromised and immediately rotate their funds to new, secure keys.
Security tools should monitor for extensions whose primary behaviour is to fetch remote content and open external destinations.
Security analysts should integrate the following Indicators of Compromise (IOCs) into their detection pipelines to block this threat:
- Malicious Extension ID: bbhaganppipihlhjgaaeeeefbaoihcgi
- Publisher Email Address: liomassi19855@gmail[.]com
- Primary Phishing Landing Page: chroomewedbstorre-detail-extension[.]com
- Remote Configuration Payload: jsonkeeper[.]com/b/KUWNE
- Malicious Script Infrastructure: compute-fonts-appconnect.pages[.]dev
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Malicious imToken Chrome Extension Caught Stealing Mnemonics and Private Keys appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.