Cybersecurity experts from Socket have just uncovered a sneaky scam hiding in plain sight on the Google Chrome Web Store. Two extensions, both called Phantom Shuttle (described in Chinese as a “multi-location network speed test” tool for developers), have been tricking users for years into thinking they’re buying a helpful VPN service. Instead, they’re quietly stealing passwords, credit card details, and other sensitive information.
These extensions looked legitimate , they even performed real speed tests to build trust. Users paid small subscriptions (around $1.40 to $13.50) through Alipay or WeChat to unlock “VIP” features. Once paid, the extensions secretly turned on a hidden proxy mode that rerouted internet traffic through servers controlled by the attackers.
This gave the hackers a perfect “man-in-the-middle” position: they could see and capture everything from logins and cookies to API keys on popular sites like GitHub, AWS, Facebook, and even adult websites (possibly for blackmail). Every few minutes, the extensions also sent the user’s email and password (in plain text) straight to the attackers’ server.
The scam has been running since at least 2017, with one version having over 2,000 users. Signs point to a China-based operation, thanks to the Chinese descriptions, payment methods, and server location.
Good news: After Socket reported them, Google removed both extensions from the Chrome Web Store as of December 27, 2025. The attackers’ main control server is still online, though.
If you’ve ever installed Phantom Shuttle, uninstall it right now from your Chrome extensions page. Then change any important passwords and run a security scan. For everyone else, this is a big reminder: be extra careful with browser extensions, especially ones that ask for proxy permissions or charge subscription fees. Stick to well-known tools and consider turning on extension allow listing if you’re in a company.
Stories like this show how even small add-ons can become serious security risks. Stay safe out there. A quick check of your extensions today could prevent a headache tomorrow!
Author: Oje.Ese