Your Crypto Wallet Could Vanish Thanks to a Chrome Extension—And You’d Never Know

As you may already know, you can visit websites thanks to web browser software, like Chrome or Firefox. Now, inside this software, browser extensions are small add-ons that give your browser extra features, like blocking ads, saving passwords, or managing your crypto funds with a convenient wallet. MetaMask is, likely, the most popular crypto browser extension, but there are many others related to the industry; from security features to trading features.

Browser extensions can do nearly everything, and they offer the added advantage of doing it without the need to abandon our web browser. As of April 2025, the Chrome Web Store offers approximately 155,419 extensions of all types. Other browsers like Firefox, Edge, and Safari also have their own extension stores, each with varying quantities; and some independent developers and teams are offering their own extensions as well. They’re practical and easy to use.

But they may come with a high price.

General Risks

Anyone can build a new extension and apply for listing in the official stores or distribute it themselves. That’s how cybercriminals find their victims. Extensions with hidden malware have been used to steal cryptocurrencies, hijack social media accounts, and spy on users. Malicious developers often disguise these tools as useful add-ons, making them hard to spot before they cause damage.

Even legitimate extensions have extensive permissions. They can do things like modify all websites, control their interface or inject any code. With such intrusive permissions granted to all extensions, every piece is, by design, spyware, with the vast majority of them being well-intentioned spyware. If being malicious, an extension could log keystrokes to steal passwords, inject ads, or even swap cryptocurrency wallet addresses during transactions.

Attackers also distribute fake versions of popular extensions (there are many fake MetaMask versions, for instance), tricking users into installing software that silently exfiltrates data —or funds. Even legitimate extensions can turn dangerous if sold to a new owner who injects harmful code.

While official extension stores attempt to filter out threats, bad actors still find ways in. Some extensions have remained active for months before being discovered, affecting thousands of users. Attackers also spread malicious add-ons outside these stores, bundling them with pirated content or phishing campaigns. In the wrong hands, an extension isn't just a tool—it’s a direct gateway to financial and personal information theft.

Some Malicious Extensions

In 2023 alone, numerous malicious Chrome extensions were discovered by the cybersecurity firm Kaspersky Lab, affecting millions of users. One of the most notorious was Rilide, which targeted cryptocurrency holders by monitoring their online activity and stealing wallet credentials. It even bypassed two-factor authentication by injecting scripts that altered transaction details, redirecting funds to hackers.

This extension spread through deceptive means, including fake blockchain game installers, phishing (fake) emails, and even a misleading PowerPoint file. Another major threat was ChromeLoader, which installed persistent adware by tricking users into downloading pirated content disguised as popular games and media files. Removing it was difficult since it automatically reinstalled itself after each system reboot.

Other malicious extensions focused on stealing online accounts. Fake ChatGPT plugins like "ChatGPT for Google" and "Quick access to Chat GPT" hijacked Facebook business accounts by capturing session cookies. Attackers used compromised accounts to promote their malware, ensuring continuous infections. Meanwhile, Roblox users were targeted by extensions like SearchBlox, RoFinder, and RoTracker, which stole in-game assets.

Overall, more than 87 million downloads of malicious extensions were recorded. Many disguised themselves as legitimate tools, such as PDF converters and ad blockers, tricking unsuspecting users. Despite user complaints, some of these remained in the Chrome Web Store for months until security researchers and online communities pressured Google to take action. This highlights the risks of relying solely on Chrome Web Store moderation for security.

Cyberhaven Case

People often believe that if they’re digitally robbed, it’s likely their own fault for not taking enough preventive measures or falling for the deceptions of cybercriminals. That’s not always the case, though. Sometimes, you may have downloaded a perfectly legitimate browser extension and then discover some months later that the company behind that tool was attacked, and their extension tampered with to steal data and funds. This is what happened to the users of SwitchyOmega by Cyberhaven, and also to about 2.6 million users of other 32 browser extensions available on Chrome.

Cyberhaven fell victim to an attack when one of its employees was tricked by a phishing email. The message falsely claimed that the company’s browser extension violated Google’s policies and required urgent action. The employee unknowingly granted access to an OAuth application controlled by attackers, allowing them to take over Cyberhaven’s Chrome Web Store account. With this access, the attackers uploaded a malicious version of the extension, which Chrome then automatically distributed to users through its update mechanism.

The tampered extension contained code that connected to a remote server, received instructions and monitored user activity. It silently stole browser cookies and passwords, compromising sensitive data from millions of devices. The altered version remained active for 31 hours before being removed, but some of the other affected tools and their malicious versions remained undetected for months, leaving users unknowingly exposed to security risks.

The same can happen to literally any extension — its developer account compromised and a new, malicious version of a previously legitimate extension pushed to its users through the browser’s convenient and fast auto-update mechanism, without users noticing.

Protect Yourself

Considering the above, we have to agree with Brave on this: “The safest way to use extensions…is to not use them at all.” However, it’s also true that there are many safe, legitimate, and convenient tools in the form of browser extensions, used by millions of users that haven’t suffered any harm. Some preventive measures are necessary, though.

• If you don’t need that extension that much, don’t add it.
• If you don’t use the extension all the time, disable it. Enable only when necessary.
• If the tool you’re about to use has another version outside browsers (an app, for instance), consider that version. Installed apps come with their own risks though.
• Install and update security tools (antivirus, firewall, etc.) on all your devices.
• Before downloading any kind of software, research its developers, reputation, and privacy policy. Also, check its ranking and number of downloads; you may have picked a fake version.
• Not only download extensions from official stores but check external reviews and any news about its developers on social media.
• Always check permissions granted to every extension, and limit them as much as you can.
• Keep an eye on your clipboard when pasting wallet addresses to catch any unexpected changes. Some extensions could act like clipper malware. With Obyte, you can skip using addresses entirely by sending funds via textcoins or attestations.
• Strengthen account security by activating two-factor authentication (2FA). In Obyte wallets, this can be done by setting up a multidevice account in Global Settings.
• Protect your private keys outside the digital world, and prefer out-of-browser wallets. The Obyte wallet, for instance, is available for mobile and desktop, and you can erase your wallet seed after writing it down physically.
• Regularly check trusted sources for updates on the latest security measures and developments in the crypto space!

Featured Vector Image by Freepik