Malicious Chrome Extension Steals ChatGPT Conversations
Key Takeaways A malicious Google Chrome extension, “ChatGPT Ad Blocker,” has been identified stealing user conversations from OpenAI’s ChatGPT. The extension masquerades as an ad...
Key Takeaways
- A malicious Google Chrome extension, “ChatGPT Ad Blocker,” has been identified stealing user conversations from OpenAI’s ChatGPT.
- The extension masquerades as an ad blocker but secretly exfiltrates chat data, including prompts and conversation history, to a private Discord channel.
- The attacker can remotely control the extension’s behavior by bypassing browser cache mechanisms.
- The developer alias “krittinkalra,” linked to the extension, shows suspicious activity patterns and connections to AI services AI4ChatCo and Writecream.
Malicious Chrome Extension Exploits ChatGPT Ad Rollout to Steal User Data
Cybersecurity researchers have uncovered a deceptive Google Chrome extension, “ChatGPT Ad Blocker,” that capitalizes on OpenAI’s recent introduction of advertisements to its free ChatGPT tier. This malicious tool, designed to appear as a utility for hiding unwanted ads, is actively harvesting users’ private conversations and sending them to a hidden Discord channel.
Table Of Content
How the Data Theft Operates
Upon installation from the Chrome Web Store, the extension establishes a covert monitoring system. It initiates an hourly alarm to retrieve a remote configuration file from a GitHub repository. Crucially, this process continuously bypasses the browser’s cache, granting the attacker the ability to alter the extension’s behavior at any moment without the user’s knowledge or consent.
Domain Tools researchers discovered that the advertised ad-blocking functionalities of the extension are entirely non-operational. Instead, when a user navigates to the ChatGPT website, the extension injects a malicious script. This script clones the entire page, removes styling, and surreptitiously captures all text content. The stolen chat data is then packaged into a file named page_dump.html and transmitted to a private Discord webhook managed by a bot identified as “Captain Hook.” This method ensures that the attacker instantly receives user prompts, complete conversation histories, and account metadata.
Suspicious Developer Activity and Affiliations
The malicious extension is linked to a developer alias, “krittinkalra,” associated with a GitHub account established around 2014. An analysis of the account’s history reveals a highly suspicious timeline, suggesting a potential compromise or sale of the profile. The account primarily focused on Android kernel development until 2020, then remained dormant for over five years before abruptly reappearing with a shift to creating JavaScript-based malware.
Furthermore, this developer persona is publicly connected to two active AI services: AI4ChatCo and Writecream. These platforms claim to serve millions of users by offering chatbot integration and automated marketing content. The discovery of this data-harvesting Chrome extension, detailed in a report by DomainTools, raises significant concerns about the potential for similar data theft across related applications and services.
What You Should Do
- Exercise extreme caution with browser extensions that promise ad-blocking capabilities on high-value websites like ChatGPT, and thoroughly review all requested permissions.
- Consider affiliated platforms such as AI4ChatCo and Writecream as potentially compromised until comprehensive security audits can verify their integrity.
- Avoid using third-party AI intermediaries, resellers, or browser add-ons that could intercept or modify private conversations without your knowledge.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.