21 May 2025 Cybersecurity Danger Alert: 100+ Fake Chrome Extensions Stealing Data and Hijacking Sessions in 2025 Danger Alert: 100+ Fake Chrome Extensions Stealing Data and Hijacking Sessions in 2025 Shiva 6 min read Updated: May 21, 2025 Scroll to Read Table of Contents Dangerous Deception: Over 100 Fake Chrome Extensions Discovered Stealing Data and Hijacking Sessions <strong>The Growing Threat of Fake Chrome Extensions</strong> How These Fake Chrome Extensions Work Deceptive Tactics Used by Attackers Advanced Technical Evasion Review Manipulation Impact on Users and Businesses How to Protect Yourself from Fake Chrome Extensions Google’s Response and Ongoing Challenges The Future of Browser Extension Security Dangerous Deception: Over 100 Fake Chrome Extensions Discovered Stealing Data and Hijacking Sessions In a concerning development for internet users worldwide, cybersecurity researchers have uncovered a massive campaign involving over 100 Fake Chrome Extensions designed to steal sensitive information and hijack browser sessions. This sophisticated operation, active since February 2024, represents one of the most extensive browser extension-based threats in recent years, potentially affecting millions of users who unwittingly installed what appeared to be legitimate tools. The Growing Threat of Fake Chrome Extensions Browser extensions have become an integral part of our online experience, offering enhanced functionality and convenience. However, this recent discovery by DomainTools Intelligence (DTI) researchers reveals how cybercriminals are exploiting users’ trust in the Chrome Web Store to distribute malware at an unprecedented scale. The threat actor behind this campaign has created a network of fake websites masquerading as legitimate services, including AI tools, VPN providers, productivity enhancers, and financial applications. These deceptive sites then direct unsuspecting visitors to install corresponding Fake Chrome Extensions from Google’s Chrome Web Store. “The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, crypto, banking and more to direct users to install corresponding Fake Chrome Extensions on Google’s Chrome Web Store,” according to the DomainTools Intelligence team’s report. How These Fake Chrome Extensions Work What makes these Fake Chrome Extensions particularly dangerous is their dual functionality. On the surface, they appear to provide the advertised features, giving users no reason to suspect anything amiss. However, beneath this benign facade lies sophisticated malware designed to: Steal credentials and browser cookies : Potentially compromising accounts across multiple services Hijack active sessions : Allowing attackers to take control of logged-in accounts Inject unauthorized advertisements : Generating fraudulent revenue Perform malicious redirects : Sending users to phishing sites or other dangerous destinations Manipulate web traffic : Potentially intercepting sensitive data Execute phishing attacks : Through DOM (Document Object Model) manipulation The extensions exploit excessive permissions granted during installation through their manifest.json files. These permissions allow them to interact with every website visited by the user, execute arbitrary code from attacker-controlled domains, and modify web content without additional user consent. Deceptive Tactics Used by Attackers The sophistication of this campaign extends beyond the malware itself to include several deceptive tactics: Impersonation of Legitimate Services The researchers identified several lure websites designed to impersonate trusted services, including: DeepSeek (AI assistant) Manus (AI tool) DeBank (Financial service) FortiVPN (Virtual Private Network) Site Stats (Analytics tool) These fake sites are professionally designed to appear legitimate, often mimicking the branding and user interface of the services they impersonate. Advanced Technical Evasion The Fake Chrome Extensions employ technical tricks to evade detection, including: Using the “onreset” event handler on temporary DOM elements to execute malicious code, likely attempting to bypass content security policies Setting up WebSocket connections to act as network proxies for routing traffic through attacker-controlled servers Fetching arbitrary scripts from remote servers to update functionality without requiring new extension versions Review Manipulation Perhaps most concerning is evidence that the attackers are manipulating extension ratings to maintain high scores in the Chrome Web Store. DomainTools researchers discovered that some extensions, like those impersonating DeepSeek, redirected users providing low ratings (1-3 stars) to a private feedback form, while sending users with positive ratings (4-5 stars) to the official Chrome Web Store review page. Impact on Users and Businesses The potential impact of this campaign is substantial, affecti