SearchJack Campaign Uses 23 Chrome Extensions to Hijack Searches of 758,000 Users
A coordinated campaign of 23 malicious Chrome extensions has hijacked search queries from 758,000 users, routing traffic through affiliate brokers for monetization.
A coordinated campaign of 23 deceptive Chrome browser extensions has been quietly stealing users' search queries and routing them through hidden revenue systems. The operation, now dubbed SearchJack, has affected roughly 758,000 Chrome users worldwide without any of them realizing their searches were being hijacked. Each extension presents itself as a useful tool, from satellite maps to productivity apps, while silently running a different operation in the background.
The way these extensions work is straightforward but difficult to detect. Once installed, they override the browser's default search engine using a built-in Chrome feature called chrome_settings_overrides. When a user types a query, it passes through operator-controlled relay servers before landing on a results page. The user sees what looks like a normal search, but every query has already passed through a monetization layer they never agreed to.
Researchers at MalExt Sentry identified the campaign using their automated scanning system, which monitors Chrome extension listings for suspicious activity. According to MalExt Sentry's report shared with Cyber Security News, the scanner specifically flagged extensions abusing the chrome_settings_overrides manifest key to take over search settings. The team traced at least eight distinct affiliate brokers, each identified by a unique tracking parameter in the final Yahoo redirect URL.
What makes SearchJack hard to spot is the gap between what extensions claim and what they actually do. One extension, Nautilus Search, tells users in its store listing that it never tracks searches or collects personal data. Yet the linked privacy policy explicitly discloses collection of IP addresses, search queries, and device identifiers. That is not an oversight. It is a direct false claim, potentially actionable under both GDPR and FTC frameworks.
The scale of this campaign raises concerns beyond misleading store descriptions. Since the operators control where search traffic flows, they can quietly switch from delivering normal results to serving phishing pages or malicious downloads without ever pushing an update to the extension. That ability to escalate harm without touching the code is what elevates SearchJack from adware to a genuine security risk.
The technical backbone of SearchJack is built on a layered redirect system designed to stay completely invisible. Most extensions are what researchers call shell extensions, containing almost nothing beyond the manifest file that sets the new default search engine. There is no background script, no permission request, and no visible signal that anything unusual is happening. The same structural template appears across multiple extensions, with only the domain and icon swapped out. A smaller group adds fake functionality, such as a basic maps viewer or video library, to pass store review and make the install feel legitimate.
Behind every extension sits a broker holding a revenue-sharing agreement with Yahoo's search affiliate program, collecting a cut each time a user searches. The campaign spans eight such brokers, with the largest block tied to an unidentified operator. Some brokers, like Becovi Ltd based in Dublin, are at least partially traceable. Others have no verifiable identity, making accountability nearly impossible. Researchers recommend enforcement action at the broker level rather than targeting individual extensions, since extensions are disposable but affiliate accounts are not. Users should audit their installed extensions, remove anything unfamiliar, and manually reset their default search engine in Chrome settings.