--- title: "131 Chrome Extensions Busted for WhatsApp Web Spam Scheme" date: 2025-10-20 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2025/10/chrome-extensions-used-for-whatsapp-spam.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "News" url: "/tag/news.md" --- # 131 Chrome Extensions Busted for WhatsApp Web Spam Scheme A coordinated spam campaign targeting WhatsApp Web users has been uncovered, involving 131 Chrome extensions repackaged to look like legitimate marketing tools. ## Quick Summary – TLDR: - 131 Chrome extensions were used to automate spam on WhatsApp Web - All extensions were clones of a single tool repackaged under various brand names - The scheme was linked to Brazilian companies using a white-label reseller model - Google has been urged to take down the extensions for violating its spam policies ## What Happened? Cybersecurity researchers at Socket revealed a widespread abuse of Google Chrome’s Web Store where 131 extensions were secretly working to automate spam campaigns on [WhatsApp Web](https://sqmagazine.co.uk/whatsapp-statistics/). While posing as productivity or CRM tools, these extensions injected scripts into WhatsApp Web to bypass its anti-spam protections. > 🚨 131 Chrome extensions were caught turning WhatsApp Web into spam bots. > > They look like “CRM tools,” but secretly send bulk messages. > > Over 20,000 users already installed them. > > Full details ↓ > > — The Hacker News (@TheHackersNews) [October 20, 2025](https://twitter.com/TheHackersNews/status/1980224968404373662?ref_src=twsrc%5Etfw) ## Coordinated Chrome Abuse Linked to Brazilian Resellers The 131 extensions, though different in name and branding, were all **built from the same codebase** and shared identical infrastructure. Researchers identified that these extensions were mostly published by two developer accounts linked to a Brazilian company, Grupo OPT. Most of them were labeled under “**WL Extensão**” or a variation of it. Notably, the software behind these spam tools originated from a company called **DBX Tecnologia**, which offered a **white-label reseller program**. This allowed affiliates to rebrand the core extension and market it as their own. According to promotional materials, for a **R$12,000 investment** (roughly USD $2,180), resellers were promised **recurring monthly revenues** between R$30,000 and R$84,000 (USD $5,450 to $15,270). ## Extensions Masquerading as Sales Tools While the plugins promoted features like contact management and bulk messaging for small businesses, they were actually **automating unsolicited message blasts**. These messages were sent without user confirmation, making them **non-compliant with WhatsApp’s Business Messaging Policy**, which requires opt-in. Some extensions uncovered include: - **YouSeller** (10,000 users) - **performancemais** (239 users) - **Botflow** (38 users) - **ZapVende** (32 users) Despite unique branding, all extensions connected to the **same backend servers controlled by DBX**, meaning user activity and data were funneled to one system regardless of the extension used. ## Ongoing Updates and Detection Evasion The [spamware](https://sqmagazine.co.uk/spam-statistics/) operation appears to have been active for at least nine months, with fresh uploads and updates continuing as recently as **October 17, 2025**. Socket’s analysis shows that new clones were regularly added in waves to **evade detection** by Chrome’s security mechanisms. Each extension **injected JavaScript** directly into WhatsApp Web pages. This code ran alongside WhatsApp’s scripts to enable scheduled messages and mass outreach features. Socket described the setup as “**high-risk spam automation** that abuses platform rules.” ## Google Notified of Violations Socket has filed **takedown requests with [Google](https://sqmagazine.co.uk/google-usage-statistics/)**, flagging the publisher accounts for **violating Chrome Web Store’s Spam and Abuse policy**, which forbids duplicate functionality across extensions. Researchers also noted the lack of proper privacy disclosures, especially since **media and messages may be routed through vendor servers**. Sites like **zapvende\[.\]com** and **lobovendedor\[.\]com\[.\]br** were used to lure Brazilian small businesses into buying and publishing these extensions by promising a lucrative, recurring revenue stream. ## SQ Magazine’s Takeaway I find it wild how deep this spam operation goes. It’s not just shady extensions but an actual **reseller economy built around spamming** users through WhatsApp. What’s even more concerning is how these tools managed to slip through Chrome Web Store’s policies for so long. As users, we really have to be cautious about what we install, even when it looks polished and professional. Google needs to clean house fast, and WhatsApp better step up its anti-spam tech.