By rssfeeds-admin 
The extension, named “lmΤoken Chromophore,” disguises itself as a harmless color visualization tool but secretly redirects victims to phishing pages that capture sensitive wallet information such as seed phrases and private keys.
The malicious extension, identified by the extension, was discovered by Socket’s Threat Research Team.
While the listing claims to provide a hex color visualization feature, its real purpose is to redirect victims to attacker-controlled websites that mimic the imToken interface.
Because cryptocurrency wallets rely on private keys and seed phrases for account access, attackers who obtain these secrets can immediately seize victims’ funds.
Extension Hides Phishing Redirect Functionality.
Once installed, the malicious extension automatically opens a phishing page in a new browser tab.
The destination URL is retrieved from a hardcoded configuration endpoint hosted on jsonkeeper[.]com, allowing the threat actor to update the target destination remotely.
lmΤoken Chromophore extension mimicked to appear affiliated. (Source: socket)The phishing page is hosted on the lookalike domain chroomewedbstorre-detail-extension[.]com, which mimics the appearance of a Chrome Web Store page and an imToken onboarding interface.
The attackers use Unicode homoglyphs in the branding to make the site appear legitimate while evading simple detection mechanisms.
Instead of providing the promised color visualization functionality, the extension redirects users to this phishing infrastructure every time it is installed or clicked.
The extension listing also includes several elements intended to increase trust, such as wallet-themed graphics, a five-star rating, and a privacy policy stating that no data is collected.
Phishing Pages Capture Wallet Secrets.
After being redirected, victims are guided through a fake wallet import process that mimics imToken’s legitimate onboarding flow.
The phishing page offers two recovery options: entering a 12- or 24-word seed phrase or providing a wallet private key.
According to Socket research, to maintain the illusion of authenticity, the phishing workflow continues with a fake password setup screen followed by a loading message indicating that the wallet is being upgraded.
After the victim submits sensitive information, the site opens the legitimate token on the website in a separate browser tab, potentially reducing suspicion.
Security experts warn that browser extensions can serve as powerful attack vectors because users often trust them once installed.
Since imToken is currently available only as a mobile app and does not offer a Chrome extension, any browser extension claiming to represent the wallet should be treated with suspicion.
| MITRE ATT&CK ID | Attack Technique Description |
|---|---|
| T1195.002 | Supply Chain Compromise |
| T1176.001 | Browser Extensions |
| T1059.007 | JavaScript Execution |
| T1036 | Masquerading |
| T1656 | Impersonation |
| T1566 | Phishing |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Fake imToken Browser Extension Targets Crypto Wallet Credentials appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.