A hundred and five thousand Chrome users installed what they thought were anime wallpapers and football-star new-tab pages. What they actually got was a coordinated adware operation running across 152 extensions and 38 publisher accounts, according to Socket’s Threat Research Team. This kind of hidden behavior mirrors other cases of apps secretly tracking users without meaningful disclosure.
Every single listing on the Chrome Web Store claimed zero data collection. Their own privacy policies — buried behind an extra click — told a completely different story.
How the Scheme Actually Worked
Extensions faked organic Google traffic by exploiting Google’s own redirect format against advertisers and affiliate programs.
By auto-opening tabs and routing browsers through URLs stuffed with Google’s own ved and usg tokens, these extensions made fabricated visits look like genuine search clicks. Advertisers and affiliate programs paid premium rates for what appeared to be real human interest. Socket called it “a financially motivated commercial adware and traffic-attribution-fraud affiliate operation.” The tactic echoes how a surveillance app can disguise data collection behind a seemingly legitimate purpose.
Here’s what the extensions actually harvested, per their own privacy policies:
- IP addresses and internet service provider data
- Browser type and device information
- Click counts, referrers, and timestamps
- Data shared with Google AdSense, DoubleClick, and third-party ad partners
Three backend brands — Tab Plugins, Yowgames, and chromewallpaper.com — connected every publisher account through a shared codebase. This wasn’t a loose collection of copycats. It was one coordinated operation. Some versions shipped with broken JavaScript files that should have tripped any reasonable automated review. They passed anyway, which says something about how much vetting the store actually does.
How to Audit, Reset, and Rethink Extension Trust
Removing suspicious extensions and updating passwords are the first steps, but the broader lesson is that “official” doesn’t mean safe.
If you’ve ever installed a wallpaper or theme extension, open Chrome’s three-dot menu, hit Extensions, then Manage Extensions. Remove anything unfamiliar. Restart. If sync is enabled, repeat on every connected device before turning sync back on.
Change passwords for sensitive accounts you accessed while suspect extensions were active — attackers who gain access to password vaults through credential theft can cause lasting damage. This campaign isn’t isolated, either — Socket previously flagged 108 separate extensions tied to shared infrastructure used for session theft and data exfiltration, part of a long pattern of tech scandals that exploit unsuspecting users.
Socket advises being “especially skeptical of extensions wanting access to ‘all websites’ when their functionality does not require it.”
The Chrome Web Store is official. It is not safe by default. Treat every extension like a stranger asking for your house keys — even the ones dressed up in Jujutsu Kaisen wallpaper. Fewer extensions mean a smaller attack surface. That’s not paranoia. That’s just how browsers work now.
