Technical Analysis: The PromptSnatcher (Panel 231) AI Data Exfiltration Campaign

PromptSnatcher (internally identified as Panel 231) represents a sophisticated, dual-vector data exfiltration operation. Operating via two distinct browser extensions that masquerade as legitimate ad-blocking and privacy tools, the campaign is designed to harvest granular chat histories and sensitive account metadata from the world’s leading Artificial Intelligence platforms.

To maintain a veneer of legitimacy, these extensions provide genuine utility by ingesting established public filter lists, such as EasyList and I Don’t Care About Cookies, effectively suppressing ads and cookie banners. However, beneath this functional layer lies a bespoke interception engine capable of scraping non-public conversation text, specific model identifiers, and subscription-tier signals from ChatGPT, Gemini, Claude, Copilot, Perplexity, Grok, DeepSeek, and Meta AI.

The campaign is characterized by its modular architecture, remote configurability, and a high degree of operational discipline intended to mask telemetry within standard browser traffic.

Forensic Discovery and Linkage

The investigation was triggered when the MalExt Sentry automated scanner detected a recurring Google Tag Manager ID (GTM-TCT2RJ) embedded within the filter rules of multiple extensions. While this specific GTM artifact was traced back to a non-attributive rule in the IDCAC list, it served as a critical forensic pivot for manual deep-dive analysis.

Static and dynamic analysis ultimately revealed a shared underlying foundation: a proprietary “Panel 231” SDK present in both extensions. This SDK utilizes identical obfuscated exfiltration logic, a standardized LDP_MESSAGE internal messaging protocol, and synchronized Command-and-Control (C2) behavior patterns, confirming that despite having different publisher domains, the extensions are part of a singular, coordinated operation.

Execution Mechanism: Dynamic Payload Injection

PromptSnatcher avoids the scrutiny of browser web stores by utilizing a dynamic “Enhanced Protection” onboarding flow. This flow does not explicitly disclose AI conversation monitoring; instead, it fetches platform-specific parsing logic at runtime from a remote /configuration endpoint. This allows the operators to deploy new parsing rules or pivot to new AI targets instantly without requiring an extension update or store review.

Technically, the extension achieves interception by injecting a capture script into the page’s “main world.” This script patches global fetch, XMLHttpRequest, and WebSocket constructors. By hooking these primitives, the extension can clone both outgoing user prompts and incoming model responses in real time. The captured data is buffered and relayed through the LDP_MESSAGE channel to a background worker, which then POSTs the payload to a /captures API. Each transmission includes a persistent per-install UUID, platform ID, conversation ID, model name, and subscription status.

Targeting Intelligence and Infrastructure

The sophistication of the campaign is best illustrated by its remote configuration (Config v1.0.1). The operators have developed highly specific parsing logic for various architectures:

• ChatGPT: Scrapes the window._STATSIG_ object to determine is_paid status.
• Gemini: Parses XHR traffic for the wrb-frames protocol.
• Claude: Probes the /api/organizations endpoint to map user capabilities.
• Copilot: Intercepts SignalR frames over WebSockets to identify Pro-tier users.
• Meta AI: Notably, Meta AI is absent from the extension’s static manifests but appears in the live remote config, proving the operator’s ability to activate new targets on demand.

The infrastructure is strategically segmented to prevent easy correlation; Extension A communicates with c.smartadblocker.com, while Extension B utilizes c.abforbrowser.com. The configuration endpoint further protects itself by returning Base64-encoded rulesets and validating requests via an Origin header tied strictly to the specific extension ID.

Compliance Discrepancies and Impact

A significant finding during the investigation was a material disclosure discrepancy regarding Firefox builds. While the Firefox manifests explicitly declare data_collection_permissions: none, the extensions exhibit the exact same invasive capture behavior observed in the Chrome versions, representing a deliberate attempt to bypass platform-specific privacy audits.

With an estimated deployment of 90,000 users, PromptSnatcher is one of the most significant client-side exfiltration campaigns targeting the AI sector. It is strongly recommend that organizations prioritize the immediate removal of suspicious ad-blocking extensions, implement network-level blocks on the identified C2 domains, and perform a retrospective audit of sensitive prompts shared via AI interfaces.