A library that diverts the 'excess bandwidth' of users' Internet environments to AI companies' crawlers and monetizes them exists and is built into 245 browser extensions.



There is a library called '

Mellowtel ' that is said to help app developers monetize, and it is becoming a hot topic that users' network bandwidth is provided to AI companies and money is obtained in return. Concerns about privacy violations and security risks have also been raised about Mellowtel, but the developer of Mellowtel denies the allegations.

Mellow Drama: Turning Browsers Into Request Brokers | Secure Annex
https://secureannex.com/blog/mellow-drama/

Browser extensions turn nearly 1 million browsers into website-scraping bots - Ars Technica
https://arstechnica.com/security/2025/07/browser-extensions-turn-nearly-1-million-browsers-into-website-scraping-bots/

Mellowtel is an open-source library that allows users of apps that incorporate Mellowtel to use their spare network bandwidth to run AI companies' crawlers. In return, the AI companies pay the developers 55% of the money, which is then returned to the app developers.



Security expert John Tucker 's analysis of Mellowtel revealed that in addition to providing users' network bandwidth to AI companies, the company also collects data such as users' location, available bandwidth, heartbeats , and status.



In addition, it was found that Mellowtel 'embeds an invisible iframe into the web page you are viewing and connects to a specific server.' Based on these findings, Tackner claims that Mellowtel poses privacy and security risks.

As a result of Tackner's search for 'browser extensions that incorporate Mellowtel,' it was revealed that Mellowtel is incorporated into 45 Chrome extensions, 129 Edge extensions, and 71 Firefox extensions, and the total number of downloads of each extension reaches nearly 1 million. Tackner publishes a list of each extension that adopts Mellowtel at the following link.

Extensions using Mellowtel - Google Drive
https://docs.google.com/spreadsheets/d/e/2PACX-1vT1XgBs25gRlg5e3nYCAff967WMtZZTO-TB3rR9zszaJpTpCVFg8j7FkBxnHb3tw3aHGjKBGSxYyLgV/pubhtml



After Tackner published his analysis of Mellowtel, Mellowtel developer Arslan Ali posted a blog post denying the allegations.

Responding to ArsTechnica (Condé Naste) and 'Mellow-Drama' Articles - Mellowtel Blog
https://www.mellowtel.com/blog/responding-to-ars-technica-and-mellow-drama-article



According to Ali, the location information is only rough country-level location information, and the acquired data is completely anonymized so that it cannot be linked to the user. Mellowtel also claims that it only offers opt-in features, and the feature will not be enabled unless the user agrees to the diversion of bandwidth.

Mellowtel is developed as open source, and the source code is available at the following link. 'By making Mellowtel completely open source, we want to make the code available to developers and security experts,' said Ali.

GitHub - mellowtel-inc/mellowtel-js: With Mellowtel, your users can share a fraction of their unused internet by using a transparent opt-in/out mechanism. Trusted partners access the internet through this network, and you get paid for it.
https://github.com/mellowtel-inc/mellowtel-js



in Software,   Security, Posted by log1o_hf