Fake crypto wallet extensions: how to check your browser for the homoglyph seed-phrase trap
A fake imToken Chrome extension posed as a color picker and phished seed phrases using invisible homoglyphs. Here's how to check your extensions and stay safe.
Here's a fun one: an extension that swears it's a "hex color visualizer" quietly tries to walk off with your entire crypto wallet. No exploit, no zero-day, no fancy malware. Just a lookalike name and a phishing page. And it sat live on the Chrome Web Store for weeks.
I want to walk you through this one because it's a near-perfect example of how the cheapest tricks still work — and because the specific trick it used, mixed-script homoglyphs, is basically invisible to the naked eye. If you hold any crypto in a browser wallet, this is the kind of thing that ruins your month.
What actually happened
In March 2026, Socket's Threat Research Team published a breakdown of a Chrome extension they caught impersonating imToken, a well-known crypto wallet brand. The extension was listed as a harmless color tool, but its real job was seed-phrase theft, according to Socket's write-up.
The listing called itself "lmToken Chromophore" (extension ID bbhaganppipihlhjgaaeeeefbaoihcgi). Read that name again. It looks like "imToken" if you're skimming — which you are, because everybody skims. That's the whole point.
The moment you installed it, the extension opened a tab pointing at an attacker-controlled site. Then it did it again every time you clicked the icon. So you never even got the "color picker" you thought you installed — you got funneled straight to a phishing page.
According to Socket, the destination URL wasn't even hardcoded in a way you could easily spot. The extension pulled it from a remote endpoint (a JSONKeeper URL) at runtime, then opened a lookalike Chrome Web Store domain — chroomewedbstorre-detail-extension[.]com — to make the whole thing feel official. Fetching the target remotely means the attacker can swap it out later without shipping an update, which also helps dodge automated review.
The homoglyph trick, in plain terms
Here's the part that makes this nasty. The phishing page's title reads "imToken" — except the letters aren't the letters you think they are.
Socket found the page used mixed-script Unicode homoglyphs: the "i" was a Cyrillic character, the "T" was a Greek one, the "o" was Cyrillic again. Same trick appeared in the "Seed-Phrase" wording, where the "e" characters were Cyrillic. To your eyes, it's the imToken brand. To a computer, it's a totally different string that no brand filter will flag.
This is why "just look carefully" is bad advice. You can stare at іmТоken and imToken side by side and not see a difference, because there isn't a visible one — the difference is in the underlying character codes. Humans read shapes. Attackers exploit that gap.
Once you're on the fake page, it does the obvious thing: it shows a convincing wallet import flow and asks for your 12- or 24-word recovery phrase or your private key. Hand that over and it's game over — whoever controls the seed phrase controls the wallet. Socket notes that after capturing your secret, the page even redirects you to the real imToken site so nothing feels wrong.
For the record: imToken's own team has stated the wallet is only available as a mobile app and that they have never released any Chrome extension at all. So every single "imToken" browser extension is, by definition, not imToken.
The uncomfortable part: it barely needed permission to do this
Notice what's missing from this attack. There's no "read and change all your data on all websites." No keylogger buried in obfuscated JavaScript. No exploit against Chrome itself. The extension's whole job was to open a tab — something almost any extension can do — and let a phishing page do the actual stealing.
That's the uncomfortable lesson security researchers keep repeating: a browser extension doesn't need scary permissions to hurt you. Once it can open a page and you trust it, the rest is social engineering. Pulling the phishing URL from a remote server at runtime made it worse — the malicious destination isn't sitting in the extension for a scanner to catch. The listing ships clean-ish, then reaches out for its real instructions after it's already on your machine.
This is also why the small footprint isn't reassuring. Socket reports the listing had just 39 users, and that's the point — small campaigns are a feature, not a bug. A listing with a few dozen installs doesn't trip the alarms a viral extension would, and it can quietly rotate targets through that remote config. Attackers don't need millions of victims when a single drained wallet can be worth a fortune.
And then there's the timing gap. Socket disclosed this, and the extension reportedly stayed live for days afterward. Google's takedown process is reactive by design — something has to be reported and reviewed before it's pulled. In the window between "researcher finds it" and "Google removes it," the listing is still out there collecting victims.
I've written before about how this same pattern shows up in the phishing-kit economy — the Stanley malware-as-a-service kit literally sold "guaranteed" store publication. Fake wallet extensions aren't lone hackers getting lucky. They're a repeatable, commercialized playbook, and the imToken clone is just one clean example of it in the wild.
Why this matters for you
You might be thinking this only hits people who go looking for sketchy tools. Not really. This extension had a boring, useful-sounding cover story — a color picker. Plenty of legit extensions are exactly that boring. The disguise is the innovation.
The bigger issue is that the Chrome Web Store's review process isn't a guarantee. Google runs automated scanning and, in some cases, manual review, but their own review-process docs are upfront that some extensions change behavior after publication or pull instructions from a remote server — exactly what this one did. A listing being "in the store" is not the same as it being safe.
This also isn't a one-off. Fake and hijacked extensions targeting crypto users are a whole genre now. I dug into the broader wallet-extension threat landscape in my crypto wallet extensions security review, and the ownership-transfer angle — where a legit extension goes bad after it changes hands — in this piece on supply-chain takeovers. The imToken case is a different flavor of the same problem: your trust in a familiar name gets weaponized.
How to protect yourself
Good news: the defenses here are simple and mostly about habit. You don't need to be a security researcher.
1. Never type a seed phrase into anything a browser opened for you. This is the big one. Your recovery phrase goes into your actual wallet during setup — never into a random page an extension popped up, never into a "re-import" or "verify" flow you didn't start yourself. A real wallet never needs you to re-enter it after that. If a page asks, close it.
2. Verify the publisher, not the name. Before installing anything wallet-related, check who actually published it and whether the brand offers a browser extension at all. imToken doesn't — so any imToken extension is fake on its face. Two minutes of checking the official site beats a drained wallet.
3. Treat "harmless utility" extensions with the same suspicion as anything else. A color picker, a PDF tool, a QR generator — these are the disguises attackers reach for precisely because they sound safe. Cover story is not a security rating.
4. Report and remove. If you spot a fake, you can flag it right from the listing — Google documents the reporting flow on their Chrome Web Store Help page. Then remove it from your browser immediately. Malicious extensions with big install counts get pulled all the time once flagged, as BleepingComputer's ongoing coverage shows — but "eventually" is not "before it hit you."
5. Use a hardware wallet for anything meaningful. If your keys live on a device that never exposes the seed phrase to the browser, a phishing page has nothing to steal. For serious balances, this is the single biggest upgrade you can make.
How Extenshi helps
This is exactly the gap Extenshi exists to close. You shouldn't have to eyeball Unicode characters to figure out whether an extension is impersonating a brand.
Extenshi catalogs extensions across Chrome, Firefox, and Edge and flags the signals humans miss — suspicious name patterns, permission footprints that don't match the stated purpose, remote-config behavior, and publisher mismatches. Instead of trusting a listing because it looks fine, you get a security read on what the extension actually does. You can browse the catalog or search for a specific tool before you install it via the catalog search.
If you're not sure what's already living in your browser right now, that's the place to start — most people have a few extensions they don't even remember installing.
Check your extensions → catalog.extenshi.io/scan
Sources
- Fake imToken Chrome Extension Steals Seed Phrases via Phishing Redirects — Socket
- Malicious imToken Chrome Extension Caught Stealing Mnemonics and Private Keys — CyberSecurity News
- Chrome Web Store review process — Chrome for Developers
- Flag issues & report copyright infringement — Chrome Web Store Help
- Malicious Chrome extensions with 1.7M installs found on Web Store — BleepingComputer
This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].
Related Articles
Crypto wallet extensions reviewed: MetaMask, Phantom & Trust Wallet security analysis
Torg Grabber targets 728 crypto wallet browser extensions. Here's how MetaMask, Phantom, and Trust Wallet hold up on security and what to watch for.
Extension ownership transfers: how to protect yourself when your add-on changes hands
QuickLens was hijacked via ownership transfer to push ClickFix attacks and crypto-stealing malware. Here's how to check your extensions are still safe.
Chrome Web Store bypass for sale: how to protect your extensions from MaaS phishing kits
Stanley MaaS sold guaranteed Chrome Web Store bypass for $6,000. Here's how phishing extensions evade Google's review and how to protect yourself.