PromptSnatcher: Malicious Ad Blocker Extensions Steal AI Chat Data from 90,000 Users

Two malicious browser extensions masquerading as ad blockers have been caught secretly recording private conversations from ChatGPT, Claude, Gemini, and five other major AI platforms. The extensions, named "Smart Adblocker" and "Adblock for Browser," were installed by roughly 90,000 users before the scheme was uncovered. Users genuinely received ad-blocking functionality while their most sensitive AI conversations were being quietly siphoned off entirely in the background.

The operation, tracked internally as "Panel 231" and named PromptSnatcher by researchers, goes well beyond simple data logging. The extensions were engineered to capture full conversation histories, identify which AI model a user was talking to, and even detect whether that user was on a paid subscription tier. The precision of this collection suggests a well-resourced operation with a clear commercial motive behind the stolen data.

Analysts at MalExt Sentry, who identified and documented the threat in a report shared with Cyber Security News, traced the discovery back to an automated scanner that flagged a recurring Google Tag Manager ID across multiple extensions. What looked like a minor overlap in filter rules turned out to be the first thread in a much larger web, connecting two seemingly unrelated extensions to the same hidden data collection engine. The two extensions shared identical back-end code, infrastructure, and an internal communication protocol called LDP_MESSAGE. Despite being published under different names and pointing to different domains, they were effectively the same tool built by the same operator.

What made PromptSnatcher particularly hard to detect was its use of real, publicly available ad-blocking filter lists like EasyList. This gave the extensions genuine, working functionality that would easily pass casual inspection. The hidden telemetry engine was kept completely separate from the ad-blocking components, making the malicious layer hard to spot without deep code analysis.

The core of the attack is a script called shared-page-capture.js, injected directly into the active web page. Once in place, it intercepts all network traffic by patching the global fetch, XMLHttpRequest, and WebSocket functions. This means every message sent to or received from an AI chatbot passed through the malicious code before reaching the user's screen. Captured conversations were buffered, with prompts stored up to 10,000 characters and responses up to 30,000 characters, before being sent to operator-controlled servers. Each transmission included a unique device ID, the platform name, the conversation ID, the AI model, the user's subscription tier, and a timestamp.

The attack covered eight platforms: ChatGPT, Gemini, Claude, Copilot, Perplexity, DeepSeek, Grok, and Meta AI. The operator could add new targets remotely through a configuration server, without pushing any extension update. Meta AI was not even listed in the static extension code but was already active in the live remote configuration. One of the most striking findings concerns the Firefox versions of both extensions. Their manifests explicitly declared data_collection_permissions: none, formally telling users and Mozilla that no data collection was taking place. Yet the underlying code was functionally identical to the Chrome versions, which performed full conversation capture. This is a direct contradiction between what the extensions claimed to do and what they actually did.

Anyone with either extension installed should remove it immediately and consider rotating AI account credentials as a precaution. Reviewing recent conversation history on affected platforms for signs of unexpected access is also a sensible step. The discovery underscores a growing trend: threat actors are increasingly targeting the rich data streams flowing through AI applications, and browser extensions remain a uniquely powerful vector for intercepting that traffic.