Two browser extensions masquerading as ad blockers have been caught secretly recording private conversations from ChatGPT, Claude, Gemini, and five other major AI platforms.
The extensions, named “Smart Adblocker” and “Adblock for Browser,” were installed by roughly 90,000 users before the scheme was uncovered.
Users genuinely received ad-blocking functionality while their most sensitive AI conversations were being quietly siphoned off entirely in the background.
The operation, tracked internally as “Panel 231” and named PromptSnatcher by researchers, goes well beyond simple data logging.
The extensions were engineered to capture full conversation histories, identify which AI model a user was talking to, and even detect whether that user was on a paid subscription tier.
The precision of this collection suggests a well-resourced operation with a clear commercial motive behind the stolen data.
Analysts at MalExt Sentry, who identified and documented the threat in a report shared with Cyber Security News (CSN), traced the discovery back to an automated scanner that flagged a recurring Google Tag Manager ID across multiple extensions.
What looked like a minor overlap in filter rules turned out to be the first thread in a much larger web, connecting two seemingly unrelated extensions to the same hidden data collection engine.
The two extensions shared identical back-end code, infrastructure, and an internal communication protocol called LDP_MESSAGE. Despite being published under different names and pointing to different domains, they were effectively the same tool built by the same operator.
This kind of split deployment is a known tactic for increasing reach while reducing the chances of a single takedown wiping out the entire campaign.
What made PromptSnatcher particularly hard to detect was its use of real, publicly available ad-blocking filter lists like EasyList. This gave the extensions genuine, working functionality that would easily pass casual inspection.
The hidden telemetry engine was kept completely separate from the ad-blocking components, making the malicious layer hard to spot without deep code analysis.
PromptSnatcher Ad Blocker Extensions Steal AI Chats
The core of the attack is a script called shared-page-capture.js, injected directly into the active web page. Once in place, it intercepts all network traffic by patching the global fetch, XMLHttpRequest, and WebSocket functions.
This means every message sent to or received from an AI chatbot passed through the malicious code before reaching the user’s screen.
Captured conversations were buffered, with prompts stored up to 10,000 characters and responses up to 30,000 characters, before being sent to operator-controlled servers.
Each transmission included a unique device ID, the platform name, the conversation ID, the AI model, the user’s subscription tier, and a timestamp. This level of detail suggests the stolen data was intended for resale or for building detailed profiles of AI users.
The attack covered eight platforms: ChatGPT, Gemini, Claude, Copilot, Perplexity, DeepSeek, Grok, and Meta AI.
The operator could add new targets remotely through a configuration server, without pushing any extension update. Meta AI was not even listed in the static extension code but was already active in the live remote configuration.
The Disclosure Gap That Made It Worse
One of the most striking findings concerns the Firefox versions of both extensions. Their manifests explicitly declared data_collection_permissions: none, formally telling users and Mozilla that no data collection was taking place.
Yet the underlying code was functionally identical to the Chrome versions, which performed full conversation capture.
This is a direct contradiction between what the extensions claimed to do and what they actually did, affecting users who trusted the Firefox review process.
The onboarding flow also used vague “Enhanced Protection” language, with no mention that AI conversations were being recorded. Users who believed they were simply installing an ad blocker had no reasonable way to know what was really happening.
Anyone with either extension installed should remove it immediately and consider rotating AI account credentials as a precaution. Reviewing recent conversation history on affected platforms for signs of unexpected access is also a sensible step.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Extension ID | iojpcjjdfhlcbjnpngcmaojmlokmeii | Smart Adblocker (Extension A) Chrome ID |
| Extension ID | jcbjcocinigpbgfpnhlpagidbmlngnnn | Adblock for Browser (Extension B) Chrome ID |
| Domain | smartadblocker.com | C2 domain for Extension A |
| Domain | abforbrowser.com | C2 domain for Extension B |
| C2 URL | https://c.smartadblocker.com/configuration | Remote config endpoint for Extension A |
| C2 URL | https://c.smartadblocker.com/captures | Exfiltration endpoint for Extension A |
| C2 URL | https://c.abforbrowser.com/configuration | Remote config endpoint for Extension B |
| C2 URL | https://c.abforbrowser.com/captures | Exfiltration endpoint for Extension B |
| File Name | shared-page-capture.js | Core API-hooking script injected into page MAIN world |
| Internal Protocol | LDP_MESSAGE | Shared internal messaging protocol used by both extensions |
| Partner/Distributor ID | 231 | Shared SDK identifier linking both extensions (Panel 231) |
| Platform Target ID | q7m2xa | ChatGPT capture target ID |
| Platform Target ID | v4n8bk | Gemini capture target ID |
| Platform Target ID | k2f8yu | Claude capture target ID |
| Platform Target ID | z3x7pn | Microsoft Copilot capture target ID |
| Platform Target ID | h9p3td | Perplexity capture target ID |
| Platform Target ID | r6c1lz | DeepSeek capture target ID |
| Platform Target ID | b8j4rs | Grok capture target ID |
| Platform Target ID | m5w9qe | Meta AI capture target ID (remote config only) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
