## Brazilian Operator Runs 126 Chrome Extensions Silently Exfiltrating WhatsApp Data from 148K Users
A single Brazilian operator has deployed a coordinated network of 126 seemingly unrelated Chrome extensions, collectively harvesting sensitive WhatsApp user data and advertising cookies from approximately 148,000 users. The operation, centered on the domain wascript.com.br, disguises what is effectively one codebase—one backend, one set of covert behaviors—behind dozens of product names including WaSeller, waTidy, FR VENDAS PRO, ENOCRM, and Cliente Flow. Security researchers identified the cluster using a custom detection tool designed to flag malicious browser extensions through shared code patterns and infrastructure overlap.

The extensions, marketed primarily as sales and CRM utilities, present themselves as legitimate productivity tools. However, detailed analysis reveals that once a user logs into WhatsApp Web, the extension silently transmits their name, email address, device identifier, and Facebook, Google, and TikTok tracking cookies to servers controlled by whoever sold or distributed the specific extension. Voice messages sent through WhatsApp also route through the operator's infrastructure, creating an additional channel for data capture. WaSeller alone accounts for roughly 100,000 installations, making it the largest individual extension in the cluster by user count.

The discovery highlights ongoing risks within Chrome's extension ecosystem, where actors can exploit the appearance of product diversity to evade detection. The shared infrastructure across all 126 listings enabled researchers to cluster them as a single operation despite their varied branding and distribution channels. Users who installed any of these extensions may have had their WhatsApp authentication credentials and cross-platform tracking identifiers exposed to a third party without their knowledge. The scale of the operation and the breadth of data targeted suggest the collected information could support account takeover attempts, advertising fraud, or resale to other threat actors.
---
- **Source**: r/blueteamsec
- **Sector**: The Lab
- **Tags**: malware, chrome-extensions, whatsapp, data-exfiltration, brazil
- **Credibility**: unverified
- **Published**: 2026-05-14 20:48:19
- **ID**: 83165
- **URL**: https://whisperx.ai/en/intel/83165