Perceptive Security
SOC/SIEM Consultancy
Mixed-script homoglyphs and a lookalike domain mimic imToken’s import flow to capture mnemonics and private keys.
Published:
5 March 2026 at 23:47:27
Alert date:
6 March 2026 at 05:03:07
Source:
socket.dev
Web Technologies, Ransomware & Malware, Supply Chain & Dependencies
Socket's Threat Research Team discovered a malicious Chrome extension 'lmΤoken Chromophore' that impersonates imToken wallet while appearing as a hex color visualizer. The extension automatically redirects users to a phishing site that mimics Chrome Web Store using mixed-script homoglyphs. The phishing site captures seed phrases and private keys through fake wallet import flows. The extension uses JSONKeeper for remote configuration and redirects victims to chroomewedbstorre-detail-extension[.]com for credential theft. imToken has confirmed they have no Chrome extension and warned users about these fake extensions causing losses.
Technical details
Malicious Chrome extension 'lmΤoken Chromophore' impersonates imToken wallet while appearing as hex color visualizer. On install, extension fetches destination URL from hardcoded JSONKeeper endpoint (jsonkeeper.com/b/KUWNE) and opens phishing site at chroomewedbstorre-detail-extension.com. Uses mixed-script Unicode homoglyphs to mimic imToken (Cyrillic і, Greek Τ, Cyrillic о). Phishing site captures 12/24 word seed phrases or private keys through fake wallet import flows. Extension's background.js implements redirect logic without any legitimate functionality. Phishing infrastructure includes external JavaScript files for mnemonic validation and form processing hosted on compute-fonts-appconnect.pages.dev.
Mitigation steps:
Restrict browser extension installs in sensitive profiles, verify wallet software against official vendor channels, alert on extensions that fetch remote content and open external destinations. Hunt for lookalike domains, homoglyph-based paths, dead-drop configuration endpoints, and externally hosted JavaScript tied to wallet import flows. If seed phrase, private key, or wallet password entered into phishing page, treat wallet as compromised and rotate to new keys immediately. Use Socket's Chrome extension protection tools for real-time risk detection.
Affected products:
imToken wallet (impersonated)
Chrome Web Store
Chrome browser extensions
Related links:
https://socket.dev/chrome/package/bbhaganppipihlhjgaaeeeefbaoihcgi/overview
https://chromewebstore.google.com/detail/lm%CF%84oken-chromophore/bbhaganppipihlhjgaaeeeefbaoihcgi
https://token.im/
https://support.token.im/hc/en-us/articles/33409839387033-Beware-of-Malicious-Chrome-Extensions-and-AI-Video-Scams-Security-Monthly-Report-27th-Issue
https://socket.dev/chrome/package/bbhaganppipihlhjgaaeeeefbaoihcgi/files/4.9.5/background.js
https://socket.dev/blog/socket-now-protects-the-chrome-extension-ecosystem
https://socket.dev/features/web-extension
https://socket.dev/features/github
https://socket.dev/features/cli
https://socket.dev/blog/introducing-socket-firewall
https://socket.dev/blog/socket-mcp
Related CVE's:
Related threat actors:
IOC's:
bbhaganppipihlhjgaaeeeefbaoihcgi, liomassi19855@gmail.com, https://www.jsonkeeper.com/b/KUWNE, chroomewedbstorre-detail-extension.com, https://chroomewedbstorre-detail-extension.com/detail-bbhaganppipihlhjgaaeeeefbaoihcgi, https://chroomewedbstorre-detail-extension.com/detail-bbhaganppipihlhjgaaeeeefbaoihcgi/S%D0%B5%D0%B5d-Phrase/, https://chroomewedbstorre-detail-extension.com/detail-bbhaganppipihlhjgaaeeeefbaoihcgi/Private-Key/, https://compute-fonts-appconnect.pages.dev, https://compute-fonts-appconnect.pages.dev/sjcl-bip39.js, https://compute-fonts-appconnect.pages.dev/wordlist_english.js, https://compute-fonts-appconnect.pages.dev/jsbip39.js, https://compute-fonts-appconnect.pages.dev/formScript.js
This article was created with the assistance of AI technology by Perceptive.