PromptSnatcher Ad Blocker Extensions Steal AI Chats From ChatGPT, Claude, and Gemini

Two browser extensions masquerading as ad blockers have been caught secretly recording private conversations from ChatGPT, Claude, Gemini, and five other major AI platforms.

The extensions, named “Smart Adblocker” and “Adblock for Browser,” were installed by roughly 90,000 users before the scheme was uncovered.

Users genuinely received ad-blocking functionality while their most sensitive AI conversations were being quietly siphoned off entirely in the background.

The operation, tracked internally as “Panel 231” and named PromptSnatcher by researchers, goes well beyond simple data logging.

The extensions were engineered to capture full conversation histories, identify which AI model a user was talking to, and even detect whether that user was on a paid subscription tier.

The precision of this collection suggests a well-resourced operation with a clear commercial motive behind the stolen data.

Analysts at MalExt Sentry, who identified and documented the threat in a report shared with Cyber Security News (CSN), traced the discovery back to an automated scanner that flagged a recurring Google Tag Manager ID across multiple extensions.

What looked like a minor overlap in filter rules turned out to be the first thread in a much larger web, connecting two seemingly unrelated extensions to the same hidden data collection engine.

The two extensions shared identical back-end code, infrastructure, and an internal communication protocol called LDP_MESSAGE. Despite being published under different names and pointing to different domains, they were effectively the same tool built by the same operator.

This kind of split deployment is a known tactic for increasing reach while reducing the chances of a single takedown wiping out the entire campaign.

What made PromptSnatcher particularly hard to detect was its use of real, publicly available ad-blocking filter lists like EasyList. This gave the extensions genuine, working functionality that would easily pass casual inspection.

The hidden telemetry engine was kept completely separate from the ad-blocking components, making the malicious layer hard to spot without deep code analysis.

The core of the attack is a script called shared-page-capture.js, injected directly into the active web page. Once in place, it intercepts all network traffic by patching the global fetch, XMLHttpRequest, and WebSocket functions.

This means every message sent to or received from an AI chatbot passed through the malicious code before reaching the user’s screen.

Captured conversations were buffered, with prompts stored up to 10,000 characters and responses up to 30,000 characters, before being sent to operator-controlled servers.

Each transmission included a unique device ID, the platform name, the conversation ID, the AI model, the user’s subscription tier, and a timestamp. This level of detail suggests the stolen data was intended for resale or for building detailed profiles of AI users.

The attack covered eight platforms: ChatGPT, Gemini, Claude, Copilot, Perplexity, DeepSeek, Grok, and Meta AI.

The operator could add new targets remotely through a configuration server, without pushing any extension update. Meta AI was not even listed in the static extension code but was already active in the live remote configuration.

The Disclosure Gap That Made It Worse

One of the most striking findings concerns the Firefox versions of both extensions. Their manifests explicitly declared data_collection_permissions: none, formally telling users and Mozilla that no data collection was taking place.

Yet the underlying code was functionally identical to the Chrome versions, which performed full conversation capture.

This is a direct contradiction between what the extensions claimed to do and what they actually did, affecting users who trusted the Firefox review process.

The onboarding flow also used vague “Enhanced Protection” language, with no mention that AI conversations were being recorded. Users who believed they were simply installing an ad blocker had no reasonable way to know what was really happening.

Anyone with either extension installed should remove it immediately and consider rotating AI account credentials as a precaution. Reviewing recent conversation history on affected platforms for signs of unexpected access is also a sensible step.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Extension ID	iojpcjjdfhlcbjnpngcmaojmlokmeii	Smart Adblocker (Extension A) Chrome ID
Extension ID	jcbjcocinigpbgfpnhlpagidbmlngnnn	Adblock for Browser (Extension B) Chrome ID
Domain	smartadblocker.com	C2 domain for Extension A
Domain	abforbrowser.com	C2 domain for Extension B
C2 URL	https://c.smartadblocker.com/configuration	Remote config endpoint for Extension A
C2 URL	https://c.smartadblocker.com/captures	Exfiltration endpoint for Extension A
C2 URL	https://c.abforbrowser.com/configuration	Remote config endpoint for Extension B
C2 URL	https://c.abforbrowser.com/captures	Exfiltration endpoint for Extension B
File Name	shared-page-capture.js	Core API-hooking script injected into page MAIN world
Internal Protocol	LDP_MESSAGE	Shared internal messaging protocol used by both extensions
Partner/Distributor ID	231	Shared SDK identifier linking both extensions (Panel 231)
Platform Target ID	q7m2xa	ChatGPT capture target ID
Platform Target ID	v4n8bk	Gemini capture target ID
Platform Target ID	k2f8yu	Claude capture target ID
Platform Target ID	z3x7pn	Microsoft Copilot capture target ID
Platform Target ID	h9p3td	Perplexity capture target ID
Platform Target ID	r6c1lz	DeepSeek capture target ID
Platform Target ID	b8j4rs	Grok capture target ID
Platform Target ID	m5w9qe	Meta AI capture target ID (remote config only)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.