EXECUTIVE SUMMARY:
A malicious browser extension impersonating the popular cryptocurrency wallet imToken has been identified as part of a phishing operation targeting cryptocurrency users. The extension, distributed through unofficial channels and disguised as a legitimate wallet tool, aims to steal sensitive wallet credentials from unsuspecting victims. Once installed in the Google Chrome environment, the extension appears to provide normal wallet functionality, creating a false sense of legitimacy. However, its primary purpose is to redirect users attempting to access wallet recovery features to attacker-controlled phishing pages. These pages closely imitate the legitimate wallet import interface and prompt victims to enter their seed phrases or private keys. Because cryptocurrency wallets rely heavily on seed phrases for account recovery and asset access, exposing these credentials allows attackers to gain full control over victims’ funds. The campaign highlights the growing trend of cybercriminals abusing browser extensions as an initial access vector to conduct credential harvesting and financial theft. By exploiting user trust in widely used crypto wallet tools, attackers increase the likelihood that victims will voluntarily submit sensitive information without realizing they are interacting with a malicious interface.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A malicious browser extension impersonating the popular cryptocurrency wallet imToken has been identified as part of a phishing operation targeting cryptocurrency users. The extension, distributed through unofficial channels and disguised as a legitimate wallet tool, aims to steal sensitive wallet credentials from unsuspecting victims. Once installed in the Google Chrome environment, the extension appears to provide normal wallet functionality, creating a false sense of legitimacy. However, its primary purpose is to redirect users attempting to access wallet recovery features to attacker-controlled phishing pages. These pages closely imitate the legitimate wallet import interface and prompt victims to enter their seed phrases or private keys. Because cryptocurrency wallets rely heavily on seed phrases for account recovery and asset access, exposing these credentials allows attackers to gain full control over victims’ funds. The campaign highlights the growing trend of cybercriminals abusing browser extensions as an initial access vector to conduct credential harvesting and financial theft. By exploiting user trust in widely used crypto wallet tools, attackers increase the likelihood that victims will voluntarily submit sensitive information without realizing they are interacting with a malicious interface.[emaillocker id="1283"]
The malicious extension mimics legitimate branding and functionality associated with imToken, allowing it to blend into the user’s browser environment after installation. Once active, the extension monitors user interactions related to wallet management actions, particularly when users attempt to restore or import an existing wallet. Instead of connecting to the official wallet interface, the extension silently redirects the browser to a phishing page designed to replicate the wallet recovery screen. These pages prompt victims to enter their seed phrase, private key, or other recovery information required to restore wallet access. The harvested credentials are then transmitted to attacker-controlled infrastructure, enabling unauthorized access to the victim’s cryptocurrency wallet. Because seed phrases grant complete control over blockchain assets, attackers can immediately transfer funds to wallets under their control, making recovery extremely difficult. The extension’s behavior demonstrates the use of browser manipulation techniques such as redirect logic and credential harvesting forms embedded within phishing infrastructure. By leveraging a trusted platform like Google Chrome, the attackers increase the effectiveness of their operation and bypass user suspicion, as victims believe they are interacting with a legitimate wallet recovery interface.
This campaign demonstrates how malicious browser extensions can be weaponized to facilitate large-scale credential harvesting and cryptocurrency theft. By impersonating tools associated with imToken, attackers exploit user trust in widely recognized wallet services to trick victims into revealing critical recovery credentials. Once a seed phrase is compromised, the attacker effectively gains irreversible control over the associated cryptocurrency assets. The use of a browser extension as the delivery mechanism makes the threat particularly dangerous because extensions often operate with elevated browser permissions and remain active in the background without raising suspicion. Furthermore, the phishing pages used in the campaign closely replicate legitimate wallet interfaces, increasing the likelihood of successful credential capture. This incident highlights the importance of downloading extensions only from trusted sources and carefully reviewing permissions before installation. Security awareness among cryptocurrency users remains a critical defense against such threats, as attackers continue to adapt social engineering and phishing techniques to target digital asset holders.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| T1588.001 | Obtain Capabilities | Malware | |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| T1566.002 | Phishing | Spearphishing Link | |
| Execution | T1204.002 | User Execution | Malicious File |
| Collection | T1056.003 | Input Capture | Web Portal Capture |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/malicious-imtoken-chrome-extension/
https://socket.dev/blog/fake-imtoken-chrome-extension-steals-seed-phrases-via-phishing-redirects
[/emaillocker]