Malicious “ChatGPT Ad Blocker” Chrome Extension Stole Full ChatGPT Conversations via Discord Webhook
Security researchers have uncovered a malicious Chrome extension called “ChatGPT Ad Blocker” that masqueraded as a lightweight privacy tool while quietly harvesting users’ full ChatGPT conversation pages and exfiltrating them to a private Discord channel. According to DomainTools Investigations, the extension was presented as a simple utility to stop ads in ChatGPT, but its real function was systematic data theft.
The case is notable because the extension did not need to steal tokens first or break into OpenAI infrastructure. Instead, it operated entirely inside the browser, where it already had access to what the user could see. DomainTools said the extension cloned the active page DOM, preserved the bulk of the visible text content, bundled prompts and metadata into a page dump, and sent that dump to a hardcoded Discord webhook. In practice, that means the attacker could capture highly sensitive user inputs, generated responses, and surrounding page context straight from the browser session.
The extension reportedly appeared on the Chrome Web Store with the messaging one might expect from a benign tool: “lightweight,” “community-driven,” “privacy-friendly,” and “open source.” The store listing described it as a dedicated blocker for emerging ChatGPT ad formats and said it did not collect data unless users explicitly submitted reports. That public-facing story is sharply at odds with the behavior DomainTools documented, where the extension allegedly sent full page content to Discord without meaningful user understanding of the data flow.
The technical approach matters because it shows how dangerous browser extensions can become once granted page-level access. A malicious extension does not need to compromise ChatGPT itself to expose sensitive information. It only needs permission to observe and manipulate the page the user is already viewing. Once installed, the extension can act as a local collection point inside one of the most sensitive workflows in the modern browser: a live AI conversation where users often paste proprietary code, internal documents, credentials, business strategy, and personal data. This is an inference based on the extension behavior described by DomainTools and the common enterprise use of ChatGPT.
DomainTools linked the extension to the GitHub persona krittinkalra, which it said was also associated with AI4ChatCo and Writecream. The public GitHub and Reddit trail around the project made the extension appear like a legitimate open-source utility under active community development. A Reddit post from last month promoted the same extension as a community-driven ad blocker for ChatGPT, pointed users to the Chrome Web Store, and linked to a public GitHub repository under the same persona. That kind of visible, normal-looking project activity can help lower suspicion and make malicious code appear like part of an ordinary indie toolchain.
That developer-linkage is one of the more sensitive aspects of the story. Public reporting ties the extension to a real online identity and adjacent AI-related services, but the available sources do not independently establish intent across all associated projects. What is more firmly supported is that DomainTools identified the ChatGPT Ad Blocker extension itself as malicious and raised the question of whether similar privacy or data-theft behavior might exist in related apps or services. That remains a question for further verification, not a confirmed fact about those other platforms.
The broader security context makes the incident even more important. In January, researchers documented other malicious browser extensions designed to steal ChatGPT sessions, tokens, or chat histories. Microsoft also warned in March that malicious AI-assistant extensions had reached large install counts and were collecting LLM chat content and browsing telemetry across enterprise environments. The ChatGPT Ad Blocker case fits that same larger pattern: attackers increasingly see browser-based AI tools as high-value targets because they sit at the intersection of identity, productivity, and highly sensitive user data.
The Discord webhook exfiltration route is also revealing. Discord remains popular among both legitimate communities and malicious operators because it is easy to integrate, familiar to developers, and often blends into environments where outbound communication to mainstream services is not heavily scrutinized. By shipping conversation dumps to a private Discord channel, the operator could avoid maintaining more obvious attacker infrastructure while still collecting stolen data in near real time. This is an inference based on the described use of a Discord webhook and common attacker tradecraft in cloud-hosted exfiltration.
For defenders, the key lesson is that browser extensions deserve the same scrutiny as lightweight endpoint agents. A short extension description and a public GitHub repository are not strong indicators of safety. Once an extension can read or modify a page, it can quietly collect AI prompts, generated answers, internal URLs, business logic, and potentially identity-related data. In many cases, the browser becomes the real data perimeter, and extensions become one of the weakest links around it. This is an analytical conclusion grounded in the documented extension behavior and wider reporting on malicious AI-related extensions.
Anyone who installed the extension should remove it immediately, review browser permissions, assume that ChatGPT conversations viewed while it was active may have been exposed, and reset any workflows that may have involved sensitive pasted data. Organizations should also review extension allowlists, restrict unsanctioned browser add-ons, and treat AI-related browser tooling as part of the enterprise attack surface rather than as harmless productivity accessories.
Reference Links and Sources
