That harmless emoji keyboard extension you installed last year? It might have been watching your every click. Security researchers at Koi Security just exposed “RedDirection“—a massive spying campaign that transformed 18 trusted browser extensions into surveillance tools, affecting over 2.3 million unsuspecting users worldwide.
Here’s what makes this attack particularly insidious: these weren’t sketchy extensions from day one. Many started as legitimate tools—VPN services, color pickers, weather apps—complete with verified badges and thousands of glowing reviews. The attackers took their time, waiting months or even years before launching malicious code via silent automatic updates. By gaining access to browsing data, cookies, and login tokens, these extensions can discreetly compromise your accounts. This includes accounts linked to major platforms like Roblox, Facebook, and Snapchat, which were impacted in a separate breach involving 184 million accounts.
This patient approach allowed attackers to build massive user bases before striking, exploiting the trust users place in extensions that have performed reliably over time.
Your browser dutifully installed these poisoned updates without asking for permission or raising alarms. Extensions operate with broad permissions—often including access to “read and change all your data on websites you visit,” which most users grant without fully understanding the implications. Suddenly, that productivity tool you’d forgotten about became a remote spying threat, capable of turning your screen activity into valuable intelligence for attacker-controlled servers.
Even worse, these compromised extensions could redirect you to phishing sites when you click legitimate links—imagine trying to join a Zoom meeting only to land on a malware-infested fake page designed to steal your credentials.
The scope is staggering. Extensions like “Emoji keyboard online,” “Free Weather Forecast,” and “Volume Max” on Chrome, plus “Unlock TikTok” and “Volume Booster” on Edge, all participated in this centralized spy network. Despite appearing to come from different developers, technical analysis revealed they all connected to the same command-and-control infrastructure, suggesting coordinated operation by a single threat group.
What’s particularly frustrating is how this exploited our trust in official app stores. These extensions weren’t sideloaded from sketchy websites—they came through Google’s Chrome Web Store and Microsoft’s Edge Add-ons Store, complete with verification badges that should have meant something.
This isn’t the first time browser extensions have been weaponized at scale. The 2019 DataSpii campaign compromised extensions used by over 4 million users, while 2021’s CursedChrome operation targeted developer-focused extensions. Each incident follows a similar pattern: legitimate extensions gain popularity, then receive malicious updates that transform them into data harvesting tools.
What you need to do right now: Check your extensions immediately by typing chrome://extensions or edge://extensions into your address bar. Remove any from the identified list, clear your browser data completely, and run a full malware scan. Monitor your online accounts for suspicious activity over the next few weeks, particularly any services you accessed while the malicious extensions were active.
This attack represents a fundamental shift in how we should think about browser security. The “install and forget” mentality that works for most software becomes dangerous when dealing with extensions that receive automatic updates with no user oversight. Unlike traditional software updates that often include visible changelogs, extension updates happen silently in the background.
Moving forward, treat your extension list like your medicine cabinet—regularly review what’s there and purge anything you don’t actively need. That weather widget collecting digital dust isn’t worth the potential security risk. Consider using browser profiles to isolate extensions for different activities, and always review permissions carefully before installation.
The RedDirection campaign serves as a stark reminder that in the browser extension ecosystem, today’s trusted tool could become tomorrow’s surveillance apparatus with nothing more than an automatic update.
