Fake imToken Chrome Extension Steals Seed Phrases via Phishing Redirects

Key Takeaways

• A malicious Chrome extension named 'lmΤoken Chromophore' impersonates the imToken wallet to steal seed phrases and private keys.
• The extension acts as a lightweight redirector, fetching its phishing destination URL from a hardcoded JSONKeeper endpoint upon installation.
• Threat actors utilize mixed-script Unicode homoglyphs (Cyrillic and Greek) in page titles and URLs to evade text matching and URL-based detections.
• The phishing workflow includes a fake 'upgrading' screen and a final redirect to the legitimate token.im site to reduce victim suspicion after credential theft.

Affected Systems

• Google Chrome
• imToken Wallet Users

Attack Chain

The attack begins when a victim installs the 'lmΤoken Chromophore' Chrome extension. Upon installation, the extension's background script automatically fetches a destination URL from a hardcoded JSONKeeper endpoint and redirects the browser to a lookalike phishing domain. The phishing site uses mixed-script Unicode homoglyphs to impersonate the imToken wallet and prompts the user to enter their 12/24-word seed phrase or private key. After the victim submits their credentials, the site displays a fake 'upgrading' loading screen and ultimately redirects to the legitimate token.im website to reduce suspicion.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but relies on IOCs and behavioral descriptions for hunting.

Detection Engineering Assessment

EDR Visibility: Low — Standard EDR solutions often lack deep visibility into browser extension background scripts and in-browser web redirects unless specific browser telemetry modules are enabled. Network Visibility: Medium — Network logs can capture DNS requests to the JSONKeeper endpoint or the phishing domains, though the actual payload and URL paths are obscured by HTTPS. Detection Difficulty: Moderate — Detecting this requires identifying specific malicious extension IDs or spotting homoglyph domains in web traffic, which can be difficult without specialized browser security tools.

Required Log Sources

• Browser Extension Logs
• DNS Logs
• Web Proxy/Gateway Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Browser extensions fetching configuration data from public JSON hosting or pastebin-like sites immediately after installation may indicate a malicious redirector.	Web Proxy/Gateway Logs, Browser Extension Telemetry	Execution	Medium
Web traffic to domains containing variations or misspellings of 'chrome web store' (e.g., chroomewedbstorre) indicates potential phishing activity.	DNS Logs, Web Proxy Logs	Credential Access	Low
Web page titles or URL paths containing mixed-script Unicode characters (homoglyphs) for common crypto terms (e.g., Seed-Phrase) suggest evasion attempts by phishing sites.	Web Proxy Logs	Defense Evasion	Low

Control Gaps

• Browser Extension Allowlisting
• Homoglyph Detection in Web Filters

Key Behavioral Indicators

• Extensions with minimal local logic that immediately fetch remote URLs
• Mixed-script Unicode characters in URLs or page titles
• Unexpected password or seed phrase prompts originating from a browser extension

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Remove the extension 'lmΤoken Chromophore' (ID: bbhaganppipihlhjgaaeeeefbaoihcgi) from all managed browsers.
• If a user entered a seed phrase, private key, or wallet password into the phishing page, treat the wallet as compromised and rotate to new keys immediately.

Infrastructure Hardening

• Block access to the identified phishing domains and script hosting URLs (e.g., chroomewedbstorre-detail-extension.com, compute-fonts-appconnect.pages.dev) at the network perimeter.
• Implement strict browser extension allowlisting policies to restrict installs in sensitive browser profiles.

User Protection

• Deploy browser protection tools capable of analyzing extension risk and blocking malicious packages before deployment.

Security Awareness

• Educate users on verifying wallet software against the vendor’s official distribution channels.
• Train users to recognize lookalike domains, homoglyph-based paths, and unexpected prompts for wallet recovery secrets.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1176 - Browser Extensions
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1204 - User Execution
• T1036 - Masquerading
• T1656 - Impersonation
• T1566 - Phishing
• T1583.001 - Acquire Infrastructure: Domains
• T1583.006 - Acquire Infrastructure: Web Services
• T1056.003 - Input Capture: Web Portal Capture

Additional IOCs

• Urls:
  • hxxps://chroomewedbstorre-detail-extension[.]com/detail-bbhaganppipihlhjgaaeeeefbaoihcgi - Primary redirect phishing page
  • hxxps://chroomewedbstorre-detail-extension[.]com/detail-bbhaganppipihlhjgaaeeeefbaoihcgi/S%D0%B5%D0%B5d-Phrase/ - Mnemonic capture phishing page using homoglyphs
  • hxxps://chroomewedbstorre-detail-extension[.]com/detail-bbhaganppipihlhjgaaeeeefbaoihcgi/Private-Key/ - Private key capture phishing page
  • hxxps://compute-fonts-appconnect[.]pages[.]dev/sjcl-bip39.js - External mnemonic handling script
  • hxxps://compute-fonts-appconnect[.]pages[.]dev/wordlist_english.js - External wordlist script
  • hxxps://compute-fonts-appconnect[.]pages[.]dev/jsbip39.js - External BIP39 helper script
  • hxxps://compute-fonts-appconnect[.]pages[.]dev/formScript.js - External form processing script
  • hxxps://chromewebstore[.]google[.]com/detail/lm%CF%84oken-chromophore/bbhaganppipihlhjgaaeeeefbaoihcgi - Malicious Chrome Web Store listing
• File Paths:
  • ../media/bundle.js - Local JavaScript bundle referenced in the phishing HTML
• Other:
  • lmΤoken Chromophore - Malicious Chrome extension name (uses Greek Tau)