Malicious Chrome Extension Targets imToken Wallet Users

A malicious Chrome extension disguised as a harmless color visualization tool is quietly redirecting users to phishing pages designed to steal cryptocurrency wallet credentials. 

Socket researchers warn that the extension impersonates the popular imToken wallet brand and tricks victims into entering their seed phrases or private keys.

The “… extension automatically opens a threat actor-controlled phishing site as soon as it is installed, and again whenever the user clicks it,” said the researchers.

Inside the Fake imToken Extension Scam

The campaign specifically targets imToken, a widely used non-custodial cryptocurrency wallet platform that serves more than 20 million users across more than 150 countries. 

Non-custodial wallets differ from exchange-based wallets because users maintain full control over their private keys and recovery phrases. 

While this model gives users greater ownership of their digital assets, it also means that anyone who obtains a wallet’s seed phrase or private key can immediately gain full control of the associated funds without needing to bypass additional authentication controls.

Researchers discovered that the malicious browser extension was published to the Chrome Web Store on Feb. 2, 2026, where it presents itself as a harmless hex color visualization tool. 

The listing includes professional-looking wallet-themed imagery, five-star ratings, and a privacy policy that claims the extension does not collect user data — details that can make the tool appear legitimate at first glance and increase the likelihood that users will install it.

However, imToken has confirmed that its wallet is only available as a mobile application and has never released a Chrome browser extension. 

The company warned users that fake browser extensions impersonating the imToken brand had already resulted in cryptocurrency theft and financial losses.

How the Malicious Extension Works

Meanwhile, the malicious extension itself is intentionally minimal. It contains very little code and does not perform the color visualization functionality advertised in its description. 

Instead, the extension acts primarily as a phishing redirector. 

Its background script retrieves a destination URL from a remote configuration endpoint hosted on JSONKeeper and automatically opens a new browser tab that redirects the user to a lookalike website controlled by the attacker.

How Attackers Steal Seed Phrases

That landing page is designed to closely mimic imToken’s legitimate wallet import interface. 

To make the phishing site appear authentic, the attackers use mixed-script Unicode homoglyphs — characters from different writing systems that visually resemble standard Latin letters. 

For example, letters that appear to be i, T, or o may actually be Cyrillic or Greek characters substituted to bypass simple text-based detection systems and deceive casual reviewers.

Once the victim lands on the phishing page, the site walks them through what appears to be a normal wallet recovery process. 

Users are presented with two options: importing a wallet using a 12-word or 24-word seed phrase or entering the wallet’s private key directly. 

Either credential is sufficient for attackers to recreate the wallet and transfer its cryptocurrency assets to attacker-controlled addresses.

After the victim submits the seed phrase or private key, the phishing workflow continues with additional steps designed to reinforce the illusion of legitimacy. 

The site prompts the user to create a new password for the wallet and then displays a loading screen claiming that the wallet is being upgraded or synchronized. 

The process then opens the legitimate token[.]im site in a new tab to reassure victims the import was legitimate, even though attackers have already captured the credentials needed to take over the wallet. 

How to Reduce Malicious Extension Risk

Organizations should take steps to control which extensions can be installed and monitor their behavior.

• Restrict browser extension installations through centralized policy controls and allow-list only approved extensions from trusted publishers.
• Monitor browser and network activity for extensions that fetch remote configuration files, open external destinations, or connect to suspicious infrastructure.
• Use DNS filtering and web gateways to block newly registered, typosquatting, or homoglyph-based domains commonly used in phishing campaigns.
• Train users to install cryptocurrency wallet software only from official vendor distribution channels and verify legitimate applications before entering sensitive data.
• Audit installed browser extensions and permission changes across enterprise devices to identify suspicious or unauthorized tools.
• Implement strong wallet security practices, such as using hardware wallets or multi-signature protections and rotating keys immediately if a seed phrase or private key is exposed.
• Regularly test incident response plans and phishing scenario playbooks.

Collectively, these steps help reduce the risk of successful extension-based attacks.

Browser Extensions as Attack Vectors

This campaign highlights how browser extensions can become effective delivery mechanisms for phishing and credential theft. 

By impersonating legitimate brands and leveraging convincing user interfaces, attackers can gain access to cryptocurrency wallets and other sensitive data. 

Organizations should treat extension management as part of their broader endpoint security strategy and enforce stronger controls to reduce exposure. 

As part of a layered security approach, organizations are adopting zero trust solutions that continuously verify users, devices, and applications.