Since February 2024, an unknown hacker group has been creating harmful Chrome browser extensions. These extensions look like useful tools as productivity apps, VPNs, or crypto services secretly steal data and let hackers control the victim’s browser.
According to a report from Domain Tools Intelligence, the hackers also set up fake websites that look like real services. These sites trick people into downloading fake extensions from the Chrome Web Store.
Although the extensions seem to work as promised, they secretly steal login details and cookies, take over browsing sessions, show unwanted ads, redirect users to shady sites, and phish via DOM manipulation.
Another trick these harmful Chrome extensions use is asking for too many permissions through their manifest.json file. This gives them the power to interact with every website you visit, run malicious code from a hacker-controlled server, redirect you to fake sites, and inject unwanted ads.
They also use a clever method to run this code by attaching it to the “onreset” event of a temporary part of the web page called the DOM element. This is likely done to sneak past browser security rules known as content security policy (CSP).
Some of the fake websites created by these hackers pretended to be real services like DeepSeek, Manus, DeBank, FortiVPN, and Site Stats. When users install the extensions, they secretly steal browser cookies, download more malicious scripts, and open a WebSocket connection, which can be used to control internet traffic and spy on user activity.
It is still unknown how people are being directed to these fake websites, but Domain Tools believes the attackers may be using common tactics like phishing emails or social media tricks.
Since the fake extensions are listed on the Chrome Web Store and have matching websites, they can show up in regular Google searches or Chrome Store searches. Domain Tools also noticed that many of the fake sites included Facebook tracking IDs, which hints that the attackers might be using Facebook or other Meta platforms-possibly through pages, groups, or ads to attract users.
So far, no one knows who is running this operation, but the hackers have already created over 100 fake websites and malicious extensions. Google subsequently removed the dangerous extensions from the Chrome Web Store.
To stay safe, users are advised only to download extensions from trusted developers and carefully check the permissions of an extension that looks suspicious or mimics well-known tools.
However, it’s important to know that ratings can be faked. Hackers may hide negative reviews and boost positive ones to make their extensions look more trustworthy.
Domain Tools recently discovered that some fake extensions pretending to be from DeepSeek were tricking users during the review process. If someone gave a low rating (1-3 stars), they were redirected to private feedback from a suspicious website (ai-chat-bot[.]pro). But if they gave a high rating (4-5 stars), they were storing a review page, making the extension appear better.
