Fake AI Chrome Extensions Caught Stealing Emails and Credentials from 300,000 Users
A coordinated campaign abused the AI boom to slip data-harvesting tools into everyday browsing.
Marketplace Exposure
Researchers from LayerX uncovered a cluster of 30 malicious Chrome extensions that posed as helpful AI assistants. Together, they reached more than 300,000 installations.
The investigators named the operation AiFrame. Every extension communicated with infrastructure under a single domain, revealing centralized control.
While some listings have disappeared, others remained available at the time of analysis and still counted tens of thousands of users.
Familiar Names, Hidden Intent
Several extensions copied the branding of popular AI services. Examples included variations referencing Gemini and ChatGPT.
Despite the marketing, the plugins did not run AI locally. Instead, they loaded remote content inside an invisible or full-screen frame. This design allowed operators to change behavior instantly without submitting a new version for store review.
What the Extensions Secretly Did
Behind the interface, the add-ons extracted data from every page a user visited. They relied on content parsing libraries to read visible information directly from the browser.
In many cases, this included:
- Login pages
- Authentication flows
- Personal messages
- Sensitive business data
Because the activity occurred inside the browser, network and endpoint tools often saw legitimate sessions rather than theft.
Gmail Became a Prime Target
LayerX discovered that half of the extensions deployed specialized logic for Gmail. The malicious scripts activated as soon as the mailbox loaded.
They read message bodies, scraped entire threads, and captured drafts. When users triggered AI-style features such as summaries or reply suggestions, the data traveled to attacker-controlled servers outside Google’s security boundary.
Even Audio Could Leak
Some variants supported remote voice capture. By leveraging browser speech APIs, the extensions could transcribe conversations and forward them to operators, depending on granted permissions.
This feature dramatically expanded surveillance potential.
Shared Code, Shared Infrastructure
Researchers confirmed that all 30 extensions reused identical structures, permissions, and backend services. This consistency indicates a single organized campaign rather than unrelated developers.
Centralized control also means attackers can pivot functionality quickly, moving from data collection to credential abuse or session hijacking.
Why This Attack Model Works
Users trust official marketplaces. They also trust brands associated with productivity and AI.
By combining those two elements, attackers bypass skepticism. Victims willingly install surveillance tools that operate with high privileges.
What Users and Organizations Should Do
Anyone who installed suspicious AI-themed extensions should remove them immediately. Password resets and session revocation are critical next steps.
Security teams should also monitor:
- Abnormal authentication activity
- Token reuse
- Unexpected API calls from user sessions
Browser governance is becoming just as important as endpoint control.
Bigger Than One Campaign
AiFrame reflects a growing reality. Threat actors increasingly weaponize excitement around AI to distribute spyware at scale.
The browser has become the new operating system. Attackers know it, and they are building accordingly.