Malicious Browser Add‑on Targets imToken Users’ Private Keys

The emergence of a fake imToken Chrome extension underscores a shift in cyber‑crime tactics toward exploiting brand trust in the crypto ecosystem. While imToken has never released a browser add‑on, attackers leveraged the wallet’s strong reputation to craft a seemingly innocuous visualizer, tricking developers and digital artists into installing the malware. By embedding a lightweight redirector that pulls a remote JSON configuration, the extension avoids hard‑coded malicious code, making it harder for static analysis tools to flag the threat.

Technical analysis reveals a multi‑stage phishing workflow designed for maximum stealth. After installation, the extension fetches a malicious URL and instantly redirects the user to a look‑alike domain that uses Cyrillic and Greek characters to mimic the imToken name. The landing page presents a flawless replica of the wallet import screen, prompting victims to enter 12‑ or 24‑word seed phrases or raw private keys. Once the credentials are captured, the site displays a fake upgrade screen before silently forwarding the user to the genuine token.im site, leaving the victim convinced the process succeeded.

For enterprises and individual investors, the incident serves as a reminder to treat browser extensions as high‑risk software, especially when handling cryptocurrency assets. Enforcing strict extension whitelists, educating users about official distribution channels, and monitoring for anomalous outbound requests can mitigate exposure. Should a seed phrase be entered on any unverified page, immediate wallet regeneration and fund migration are essential to prevent irreversible loss. This case also pressures platform operators to enhance vetting processes for Chrome Web Store listings, reducing the attack surface for future impersonation campaigns.