PromptSnatcher Ad Blocker Extensions Stole AI Chats From ChatGPT, Claude, Gemini, and Other Platforms

Two browser extensions posing as ad blockers secretly captured private AI conversations from ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI. The operation, named PromptSnatcher by MalExt Sentry, affected about 90,000 users across the two extensions.

The extensions were called Smart Adblocker and Adblock for Browser. They provided real ad-blocking functionality, but they also ran a hidden capture engine that intercepted prompts, responses, model details, account-tier information, and conversation metadata.

The risk is clear for users and companies that discuss sensitive topics with AI tools. Private prompts can include source code, customer data, legal questions, business plans, internal documents, health details, or credentials pasted by mistake.

What PromptSnatcher Extensions Did

PromptSnatcher used two extensions that appeared to be normal ad blockers. Smart Adblocker had about 80,000 installs, while Adblock for Browser had about 10,000 installs, according to the research.

Both extensions shared the same hidden infrastructure, the same internal partner ID, and the same communication protocol. Researchers tied them to an internal identifier called Panel 231 and a messaging protocol named LDP_MESSAGE.

The extensions used real public ad-blocking lists, including EasyList and IDCAC, to make the product look useful. That working cover made the malicious behavior harder for users to notice during normal browsing.

Extension	Chrome extension ID	Reported installs	C2 domain
Smart Adblocker	iojpcjjdfhlcbgjnpngcmaojmlokmeii	About 80,000	smartadblocker[.]com
Adblock for Browser	jcbjcocinigpbgfpnhlpagidbmlngnnn	About 10,000	abforbrowser[.]com

How the Extensions Captured AI Conversations

The core capture script was named shared-page-capture.js. It was injected into active AI websites and patched browser functions used for live web requests, including fetch, XMLHttpRequest, and WebSocket.

Chrome’s own content scripts documentation explains that content scripts can run on web pages and interact with page content. In this case, the extensions used that access to observe AI chat traffic as messages moved between the page and the platform.

Captured prompts were buffered up to 10,000 characters, while responses were buffered up to 30,000 characters. The extensions then sent the data to operator-controlled capture endpoints with a persistent device identifier, platform ID, conversation ID, model name, subscription tier, and timestamp.

The Campaign Targeted Eight AI Platforms

The campaign did not focus on only one AI tool. It targeted the most widely used consumer AI services and could add new targets through a remote configuration server without pushing a new browser extension update.

That remote configuration matters because it allowed the operator to expand the collection list after installation. Meta AI, for example, was not present in the static extension code but appeared in the live remote configuration reviewed by researchers.

Platform	Target ID	Reported collection depth
ChatGPT	q7m2xa	Full conversation text and paid-tier signal
Gemini	v4n8bk	Full conversation text
Claude	k2f8yu	Full conversation text and capability signals
Copilot	z3x7pn	Full conversation text through WebSocket traffic
Perplexity	h9p3td	Full conversation text and subscription status
DeepSeek	r6c1lz	Full conversation text through backend conversation APIs
Grok	b8j4rs	Full conversation text
Meta AI	m5w9qe	Full conversation text through remote configuration

Why PromptSnatcher Was Hard to Spot

The extensions did not behave like obvious fake ad blockers. Users received a product that blocked ads, which reduced suspicion and helped the extensions survive casual inspection.

The hidden data collection engine stayed separate from the ad-blocking logic. The PromptSnatcher report says platform-specific parsing rules were downloaded from the configuration endpoint at runtime, which let the operator update targets without a store update.

The Chrome extension model can support legitimate page interaction, but this case shows how that same access can create privacy risk. Google’s content script guidance notes that content scripts can make changes to their JavaScript environment while working with web pages, which is why users need to trust the extensions they install.

• The extensions provided real ad-blocking features.
• The capture engine ran quietly in the background.
• Remote configuration allowed new AI targets to be added later.
• Captured data included more than prompts and responses.
• The extensions tracked subscription-related signals on several platforms.

The Firefox Disclosure Gap Raises More Privacy Questions

The Firefox versions of the extensions created another concern. Researchers said their manifests declared data_collection_permissions: none, while the underlying code still contained a functionally similar capture engine.

Mozilla’s Firefox data collection consent documentation says extension developers must specify what data an extension collects or transmits in the manifest, and they can also state that an extension collects no data.

That makes the mismatch important. A user who saw a no-data-collection disclosure would have no reasonable reason to expect full AI chat capture, subscription-tier fingerprinting, and transmission to remote servers.

Why Stolen AI Chats Are Valuable

AI chat histories can contain unusually sensitive information. Users often paste text into chatbots because they expect a private assistant, not a public web form.

For individuals, stolen chats can reveal personal problems, job plans, financial questions, private messages, or identity details. For companies, they can expose code snippets, strategy documents, customer records, incident details, contracts, or internal security information.

The subscription-tier data also has value. It can help operators identify high-value users, paid business accounts, or people who rely heavily on AI tools for work.

Data type	Why it matters
Prompts and responses	May include private, business, legal, technical, or personal information
Conversation IDs	Can help link multiple chats to the same user or workflow
Model names	Shows which AI tools and models the user relies on
Subscription status	Can identify paid users or higher-value targets
Device identifiers	Can support long-term tracking across sessions

Store Policies and User Consent Are Central to the Case

Browser extension stores rely on clear disclosure because extensions can sit between users and the websites they visit. Google’s Chrome Web Store policies require extensions to disclose their behavior and avoid misleading users.

PromptSnatcher highlights a difficult review problem. A browser extension can offer a real feature while hiding a separate telemetry engine that collects data unrelated to the visible purpose of the product.

The same issue applies to Firefox. The Mozilla extension consent guidance exists to give users a clear view of data collection, but that protection depends on accurate declarations and enforcement.

What Users Should Do Now

Anyone who installed Smart Adblocker or Adblock for Browser should remove the extension immediately. Users should also review recent AI chats and avoid reusing any secrets, tokens, passwords, or confidential data that may have been pasted into those tools while the extension was installed.

Google’s Chrome extension management guide says users can remove an extension from Chrome by opening the browser menu, going to Extensions, selecting Manage extensions, and choosing Remove.

1. Open Chrome and go to chrome://extensions.
2. Look for Smart Adblocker, Adblock for Browser, or any unfamiliar ad blocker.
3. Select Remove for suspicious extensions.
4. Restart the browser after removal.
5. Review AI account sessions and sign out from unknown devices where available.
6. Rotate any credentials or API keys that may have appeared in AI chats.

What Companies Should Check

Companies should not treat this only as a consumer browser issue. Employees often use AI tools to summarize documents, debug code, draft emails, analyze logs, and prepare internal reports.

Security teams should inventory browser extensions across managed devices and block unapproved ad blockers. They should also review proxy, DNS, and endpoint logs for traffic to PromptSnatcher infrastructure.

The Chrome Web Store policy framework helps define expected extension behavior, but organizations should still enforce their own extension allowlists. Store review alone cannot replace enterprise browser governance.

Indicator type	Indicator	Description
Extension ID	iojpcjjdfhlcbgjnpngcmaojmlokmeii	Smart Adblocker Chrome ID
Extension ID	jcbjcocinigpbgfpnhlpagidbmlngnnn	Adblock for Browser Chrome ID
Domain	smartadblocker[.]com	C2 domain for Smart Adblocker
Domain	abforbrowser[.]com	C2 domain for Adblock for Browser
C2 URL	hxxps://c.smartadblocker[.]com/configuration	Remote configuration endpoint
C2 URL	hxxps://c.smartadblocker[.]com/captures	Capture endpoint
C2 URL	hxxps://c.abforbrowser[.]com/configuration	Remote configuration endpoint
C2 URL	hxxps://c.abforbrowser[.]com/captures	Capture endpoint
File name	shared-page-capture.js	Core AI chat capture script
Internal protocol	LDP_MESSAGE	Shared internal messaging protocol
Partner ID	231	Shared SDK identifier

Admins should also search for the extensions by ID, not just by name. Names can change, while extension IDs give defenders a more reliable way to hunt across browser inventories.

Users who removed the extensions should still follow Google’s Chrome extension removal guidance and check for other unwanted extensions. If an AI chat included passwords, access tokens, or private keys, those secrets should be treated as exposed and rotated.

The larger lesson is simple: browser extensions need the same scrutiny as desktop software. An extension that can read and modify pages can also reach sensitive AI conversations, so users and organizations should install only trusted, necessary extensions.

FAQ