Malicious Chrome Extensions Steal Browsing History from

A massive data exfiltration operation has been uncovered, impacting approximately 37.4 million users worldwide. The campaign utilized 287 malicious Chrome extensions to secretly steal browsing history.

According to research with alias qcontinuum1, the discovery represents roughly one percent of the global Chrome user base, highlighting a significant privacy breach affecting millions of internet users.​

An automated scanning system using Docker containers and a man-in-the-middle proxy to detect suspicious network activity.

The system monitors outbound traffic from extensions and determines whether data transmission correlates with URL length, a key indicator of exfiltrated browsing history.​

The malicious extensions employ various obfuscation techniques to hide their activities.

Some use ROT47 encoding, while others implement AES-256 encryption with RSA key pairs to encrypt browsing data before sending it to remote servers.

Popular extensions like “Poper Blocker,” “Stylish,” and “BlockSite” were identified among the offenders.​ The investigation revealed several data brokers collecting user information.

Similarweb, a prominent web analytics company, operates multiple extensions, including its official “Website Traffic & SEO Checker,” which has one million users.

The research also identified “Big Star Labs,” believed to be affiliated with Similarweb, controlling extensions affecting 3.7 million users.​

Other actors include Curly Doggo with 1.2 million affected users, Offidocs with 1.7 million users, and various Chinese entities. Even legitimate security tools like Avast Online Security, with six million installations, were flagged for data collection.​

Privacy Implications

The exfiltrated browsing data poses serious risks beyond targeted advertising.

Corporate espionage becomes possible when employees install seemingly innocent productivity extensions that capture internal URLs, intranet addresses, and SaaS dashboard links.

URLs often contain personal identifiers, enabling malicious actors to target specific individuals.​ Researchers set up honeypot traps and detected third-party scrapers actively collecting the stolen data.

Multiple IP addresses associated with companies like Kontera repeatedly accessed these honeypots, suggesting a broader ecosystem monetizing user browsing histories.​

Users should immediately review installed Chrome extensions and remove those listed in the research report. The Chrome Web Store hosts approximately 240,000 extensions, making manual verification challenging.

Based on qcontinuum1 advisory guidance, security experts recommend installing only open-source extensions that can be reviewed and carefully checking permission requests before installing them.

The research team deliberately withheld specific technical details to prevent attackers from adapting their methods more quickly.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.