Malicious Browser Extensions Hijack AI Chat Conversations in Large-Scale Data Theft Scheme
Two browser extensions "Smart Adblocker" and "Adblock for Browser" were discovered secretly harvesting private conversations from users of ChatGPT, Claude, Gemini, and five other major AI platforms. The extensions, installed by approximately 90,000 users, provided legitimate ad-blocking functionality while covertly exfiltrating sensitive chat data in the background.
Dubbed PromptSnatcher by researchers at MalExt Sentry, the operation was far more sophisticated than typical data-logging malware. The extensions captured full conversation histories, identified the AI model in use, and even determined whether users were on paid subscription tiers. The precision of the data collection pointed to a well-funded operation with clear commercial motives, likely aimed at reselling the stolen information or building detailed user profiles.
The extensions shared identical backend infrastructure, including a hidden communication protocol (LDP_MESSAGE) and a core malicious script (shared-page-capture.js), which intercepted all network traffic by patching critical browser functions like fetch, XMLHttpRequest, and WebSocket. Captured data including prompts (up to 10,000 characters) and responses (up to 30,000 characters) was transmitted to operator-controlled servers, accompanied by metadata such as device IDs, platform names, conversation IDs, AI models, subscription tiers, and timestamps.
The attack targeted eight AI platforms: ChatGPT, Gemini, Claude, Copilot, Perplexity, DeepSeek, Grok, and Meta AI. Notably, Meta AI was not listed in the static extension code but was actively targeted via a remote configuration server, allowing the operator to expand the attack surface without requiring updates.
A particularly alarming aspect of the campaign was its deception on Firefox, where the extensions’ manifests falsely declared data_collection_permissions: none a direct contradiction to their actual behavior. The Chrome versions, while equally malicious, did not include this misleading claim. Both extensions used vague language like "Enhanced Protection" during installation, obscuring their true purpose from users.
The discovery was traced back to an automated scanner that flagged a recurring Google Tag Manager ID across multiple extensions, revealing a broader network of malicious activity. Despite being published under different names and domains, the two extensions were effectively the same tool, deployed in a tactic known as split deployment to maximize reach while minimizing the risk of a single takedown disrupting the entire campaign.
Indicators of compromise (IoCs) include the extension IDs, command-and-control (C2) domains (smartadblocker[.]com, abforbrowser[.]com), and the shared-page-capture.js script. The operation’s internal identifier, Panel 231, further links the two extensions to a coordinated effort. Users who installed either extension are advised to remove them immediately and review their AI account security.
Source: https://cybersecuritynews.com/promptsnatcher-ad-blocker-extensions-steal-ai-chats/
Anthropic TPRM report: https://www.rankiteo.com/company/anthropicresearch
"id": "ant1781526488",
"linkid": "anthropicresearch",
"type": "Breach",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users with malicious extensions '
'installed',
'industry': 'Technology/AI',
'name': 'ChatGPT',
'type': 'AI Platform'},
{'customers_affected': 'Users with malicious extensions '
'installed',
'industry': 'Technology/AI',
'name': 'Claude',
'type': 'AI Platform'},
{'customers_affected': 'Users with malicious extensions '
'installed',
'industry': 'Technology/AI',
'name': 'Gemini',
'type': 'AI Platform'},
{'customers_affected': 'Users with malicious extensions '
'installed',
'industry': 'Technology/AI',
'name': 'Copilot',
'type': 'AI Platform'},
{'customers_affected': 'Users with malicious extensions '
'installed',
'industry': 'Technology/AI',
'name': 'Perplexity',
'type': 'AI Platform'},
{'customers_affected': 'Users with malicious extensions '
'installed',
'industry': 'Technology/AI',
'name': 'DeepSeek',
'type': 'AI Platform'},
{'customers_affected': 'Users with malicious extensions '
'installed',
'industry': 'Technology/AI',
'name': 'Grok',
'type': 'AI Platform'},
{'customers_affected': 'Users with malicious extensions '
'installed',
'industry': 'Technology/AI',
'name': 'Meta AI',
'type': 'AI Platform'},
{'customers_affected': 'Approximately 90,000 users',
'industry': 'Software',
'name': 'Smart Adblocker',
'type': 'Browser Extension'},
{'customers_affected': 'Approximately 90,000 users',
'industry': 'Software',
'name': 'Adblock for Browser',
'type': 'Browser Extension'}],
'attack_vector': 'Malicious Browser Extensions',
'customer_advisories': 'Users advised to remove the extensions and review '
'account security',
'data_breach': {'data_exfiltration': 'Yes (transmitted to operator-controlled '
'servers)',
'personally_identifiable_information': 'Potentially (device '
'IDs, conversation '
'metadata)',
'sensitivity_of_data': 'High (private conversations, '
'potentially sensitive or proprietary '
'information)',
'type_of_data_compromised': 'AI chat conversations, prompts, '
'responses, metadata (device IDs, '
'platform names, conversation '
'IDs, AI models, subscription '
'tiers, timestamps)'},
'description': "Two browser extensions 'Smart Adblocker' and 'Adblock for "
"Browser' were discovered secretly harvesting private "
'conversations from users of ChatGPT, Claude, Gemini, and five '
'other major AI platforms. The extensions, installed by '
'approximately 90,000 users, provided legitimate ad-blocking '
'functionality while covertly exfiltrating sensitive chat data '
'in the background. The operation, dubbed PromptSnatcher, '
'captured full conversation histories, AI model details, and '
'subscription tiers, transmitting the data to '
'operator-controlled servers.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to AI '
'platforms and extension developers',
'data_compromised': 'Full conversation histories, prompts (up to '
'10,000 characters), responses (up to 30,000 '
'characters), metadata (device IDs, platform '
'names, conversation IDs, AI models, '
'subscription tiers, timestamps)',
'identity_theft_risk': 'High (exposure of sensitive chat data and '
'metadata)',
'systems_affected': 'User browsers with malicious extensions '
'installed'},
'initial_access_broker': {'backdoors_established': 'Network traffic '
'interception via patched '
'browser functions (fetch, '
'XMLHttpRequest, '
'WebSocket)',
'data_sold_on_dark_web': 'Likely (commercially '
'motivated operation)',
'entry_point': 'Malicious browser extensions',
'high_value_targets': 'AI platforms (ChatGPT, '
'Claude, Gemini, etc.), paid '
'subscription users'},
'investigation_status': 'Discovered and reported',
'motivation': 'Reselling stolen data or building detailed user profiles',
'post_incident_analysis': {'corrective_actions': 'Remove extensions, review '
'account security, enhance '
'monitoring for unauthorized '
'data access',
'root_causes': 'Malicious browser extensions with '
'hidden data exfiltration '
'capabilities, deceptive '
'installation practices, and remote '
'configuration updates'},
'recommendations': 'Users should remove the malicious extensions immediately, '
'review AI account security, and monitor for suspicious '
'activity. AI platforms should enhance monitoring for '
'unauthorized data access via browser extensions.',
'references': [{'source': 'MalExt Sentry'}],
'response': {'containment_measures': 'Users advised to remove the extensions '
'immediately',
'remediation_measures': 'Review AI account security, monitor for '
'suspicious activity',
'third_party_assistance': 'MalExt Sentry (researchers)'},
'threat_actor': 'Unknown (well-funded operation, likely commercially '
'motivated)',
'title': 'Malicious Browser Extensions Hijack AI Chat Conversations in '
'Large-Scale Data Theft Scheme',
'type': 'Data Theft',
'vulnerability_exploited': 'Browser extension permissions and network traffic '
'interception'}