Socket's Threat Research Team discovered a malicious Chrome extension impersonating imToken, a popular non-custodial crypto wallet. The extension, listed as a hex color visualizer, automatically redirects victims to a threat actor-controlled phishing site upon installation. The site uses mixed-script Unicode homoglyphs to mimic imToken's branding and tricks users into entering their 12 or 24 word seed phrases or private keys. The attack chain includes a convincing password setup screen and a final redirect to the legitimate imToken site to reduce suspicion after credentials are stolen. The extension had 39 weekly active users and remained live at time of writing. Defenders are advised to restrict browser extension installs, verify wallet software against official channels, and treat any wallet whose secrets were entered on a phishing page as fully compromised.
Table of contents
This Chrome Extension Was Never About Color #How the Phishing Workflow Unfolds #Outlook and Recommendations #Indicators of Compromise (IoCs) #MITRE ATT&CK #Sort: