MalExt Sentry researchers disclosed PromptSnatcher — tracked internally as “Panel 231” — a data-harvesting operation that used two Chrome ad blocker extensions to steal private AI conversations from approximately 90,000 users across eight major AI platforms. The two extensions, Smart Adblocker and Adblock for Browser, provided genuine ad-blocking functionality while secretly executing a script that intercepted all AI platform traffic before it left the browser. The disclosure was published on June 15, 2026.
How PromptSnatcher’s shared-page-capture.js Intercepted AI Platform Traffic Before It Left the Browser
Both extensions executed a script called “shared-page-capture.js” that patched the global fetch, XMLHttpRequest, and WebSocket functions in the user’s browser — the three primary mechanisms browsers use to send and receive network data. By patching those functions at the browser level before the user’s AI requests could depart, PromptSnatcher inserted itself between the user and every AI service they visited. The interception operated regardless of which platform the user accessed or which session they were in.
The eight targeted platforms were ChatGPT, Gemini, Claude, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI. For each conversation on those platforms, PromptSnatcher captured full conversation text — user prompts up to 10,000 characters and AI responses up to 30,000 characters — along with device IDs, platform names, and the user’s AI subscription tier. Captured data was buffered and transmitted to operator-controlled servers.
Functional ad blocking served as the cover. The extensions blocked ads as advertised, giving users no reason to suspect the installation was doing anything beyond its stated purpose. The absence of performance issues or visible malfunction provided no signal that every AI conversation was being transmitted externally.
What PromptSnatcher’s 30,000-Character Response Buffer Reveals About the Stolen Conversation Data
The 30,000-character response buffer is the most revealing technical specification in MalExt Sentry’s findings. PromptSnatcher was not capturing brief one-line queries. It was capturing extended, multi-turn AI conversations — the exchanges where users share context, provide background, and ask follow-up questions across the full arc of a session.
AI conversations have become one of the most sensitive behavioral records a person generates. Users have adapted to treating AI chatbots as private advisors, sharing medical concerns before a doctor appointment, legal questions before consulting an attorney, financial problems, and personal matters they might not raise with people they know. A 30,000-character response buffer captures that context in full. For 90,000 affected users, every conversation of that kind — conducted through any of the eight targeted platforms — went to PromptSnatcher’s infrastructure.
The eight-platform targeting is the campaign’s defining scope. A user who switched AI services — moving from ChatGPT to Claude, or from Gemini to Perplexity — remained under PromptSnatcher’s interception regardless of the platform change. The extensions functioned as a cross-platform AI surveillance layer, capturing any conversation the user had with any major AI service during the installation period.
Enterprise Copilot Subscription Tier Exfiltration and the Business Data at Risk in PromptSnatcher
PromptSnatcher captured the user’s AI subscription tier alongside conversation content. For enterprise Microsoft Copilot subscribers, this creates a corporate dimension beyond individual privacy. Enterprise Copilot users conduct proprietary business analysis, code review, internal document processing, and strategic planning through the platform. Conversations may contain trade secrets, unreleased product details, sensitive financial data, or internal communications that employees entered while treating their Copilot session as private.
An employee running enterprise Copilot with Smart Adblocker or Adblock for Browser installed transmitted those conversations to PromptSnatcher’s operator infrastructure, with the subscription tier flagged in the transmitted data. Organizations running Microsoft Copilot or other enterprise AI platforms should audit endpoint environments for the presence of either extension and assess whether sensitive business conversations were conducted during any installation period.
How MalExt Sentry Identified PromptSnatcher Despite Its Dual-Brand Deception
Smart Adblocker and Adblock for Browser presented separate branding, maintained distinct domain presences, and appeared to be independent products. MalExt Sentry identified them as a single coordinated operation through a shared Google Tag Manager ID — an operational security failure that exposed both extensions as part of the same infrastructure despite their separate presentation.
The Chrome extension IDs are iojpcjjdfhlcbjnpngcmaojmlokmeii for Smart Adblocker and jcbjcocinigpbgfpnhlpagidbmlngnnn for Adblock for Browser. Users with either extension installed should remove it immediately and review whether sensitive conversations on any of the eight targeted AI platforms occurred during the installation period. The shared infrastructure link MalExt Sentry found also confirms that attribution of both extensions to a single operator is not a matter of similarity — it is a matter of shared backend identity, revealed by an operational error the campaign’s designers did not catch before researchers did.
