Cybersecurity researchers from Socket’s Threat Research Team have discovered a dangerous Google Chrome extension named “lmΤoken Chromophore” that is designed to steal sensitive cryptocurrency wallet information such as mnemonic seed phrases and private keys.
The extension presents itself as a simple Hex Color Visualizer tool, but in reality it impersonates the popular non-custodial cryptocurrency wallet brand imToken. Launched in 2016, imToken has more than 20 million users worldwide, making it an attractive target for phishing campaigns conducted by cybercriminals.
The official imToken team has clarified that their platform is only available as a mobile application and that they have never released any Chrome browser extension.
Despite this, the malicious extension mimics the visual identity of the imToken brand to deceive users and trick them into entering their 12- or 24-word seed phrases or private keys, enabling attackers to immediately gain control of victims’ cryptocurrency wallets.
The extension was exposed on February 2, 2026, by Socket’s Threat Research Team. It attempts to appear legitimate by displaying fake five-star reviews and a fraudulent privacy policy claiming that no user data is collected.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
Phishing Workflow and Evasion Techniques
After installation, the extension does not perform its advertised color-picking functionality. Instead, it operates as a redirect mechanism.
Its background code retrieves a target website from a hardcoded remote endpoint hosted on JSONKeeper, and then automatically opens a new browser tab redirecting the user to the attacker’s infrastructure.
With this method, attackers can change the phishing destination at any time without updating the extension in the Chrome Web Store.
The initial redirect sends victims to a fraudulent domain:
chroomewedbstorre-detail-extension[.]com.
To bypass automated security scanners, attackers use Unicode homoglyph techniques, replacing normal Latin letters with visually similar Cyrillic and Greek characters. This helps evade simple text-matching detection systems.
Once users reach the phishing page, they are presented with a fake wallet import interface powered by external JavaScript files such as sjcl-bip39.js and wordlist_english.js.
The page prompts users to enter their seed phrase or private key. After collecting this sensitive information, attackers maintain the illusion of legitimacy by asking users to set a local password and displaying a fake “upgrading” loading screen.
Finally, victims are redirected to the official token.im website, reducing suspicion while attackers quietly drain funds from the compromised wallets.
FutureCrime Summit 2026: Registrations to Open Soon for India’s Biggest Cybercrime Conference
Remediation and Indicators of Compromise (IOC)
Security experts advise organizations to scrutinize browser extensions with the same level of security checks applied to third-party software.
Companies are also encouraged to restrict extension installations in sensitive browser environments.
Users should always download cryptocurrency wallet software only from official sources.
If a user has entered a seed phrase, private key, or wallet password on a suspected phishing page, the wallet should be treated as fully compromised, and funds should be immediately transferred to a new secure wallet.
Security teams should monitor for the following Indicators of Compromise (IOCs):
- Malicious Extension ID: bbhaganppipihlhjgaaeeeefbaoihcgi
- Publisher Email: liomassi19855@gmail[.]com
- Phishing Domain: chroomewedbstorre-detail-extension[.]com
- Remote Configuration Payload: jsonkeeper[.]com/b/KUWNE
- Malicious Script Infrastructure: compute-fonts-appconnect.pages[.]dev
Cybersecurity experts warn that cryptocurrency wallet attacks are rapidly increasing, and users should exercise extreme caution when installing browser extensions and rely only on trusted and official sources.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
