Fake crypto wallet browser extensions: how to spot the ones that steal your crypto

Is this wallet extension safe?

Start from the answer and work backwards. A wallet extension is safe only if you installed it from the wallet's own website, using the store link the wallet itself provides. That is the whole test. A perfectly matching name, the exact fox or ghost icon, the real screenshots, even a five-star rating, prove nothing, because every one of those can be copied or faked. The scam works precisely because the fake looks identical to the real thing in the store. So the question "is this wallet extension safe" is really the question "how did I get to this listing", and the only good answer is "from a link on the official site". If you found it through the store search bar, a Google ad, a YouTube description, or a message from someone, treat it as unverified until you re-check it through the official site.

The GreedyBear wave: 150 fake wallet extensions

This is not a theoretical risk. In August 2025, security firm Koi Security documented a campaign it named GreedyBear, in which roughly 150 malicious extensions were published to the Firefox add-on store impersonating well-known crypto wallets. BleepingComputer reported the wave was tied to an estimated one million dollars in stolen crypto. The impersonated wallets included MetaMask, TronLink, Rabby, Exodus, and others, with researchers noting names borrowed from across the major-wallet landscape.

The clever part was how the fakes got past review. Koi Security described a technique where extensions are first uploaded in a harmless form so they pass the store's checks, then accumulate positive (often fake) reviews to look trustworthy. Only later do the operators strip out the original branding, swap in a wallet's name and logo, and inject the malicious code that harvests credentials. By the time the extension is dangerous, it already has a clean-looking history and a wall of reviews. Koi Security also reported signs the same operators were probing the Chrome Web Store, spotting a malicious "Filecoin Wallet" Chrome extension that reused the same data-theft logic and reported back to the same server.

The lesson is uncomfortable but simple: the store's own listing is not proof of safety. Review counts can be padded, publisher names can be impersonated, and a benign-looking extension can turn malicious after you install it. Your trust has to be anchored somewhere the attacker cannot easily forge, which is the wallet's official website.

How a fake wallet extension actually drains you

A malicious wallet extension does not need a single zero-day to empty your account. It just needs you to install it and use it normally. There are three common mechanisms, sometimes combined.

1. Seed phrase or private key theft. The fake wallet's onboarding looks exactly like the real one, and when it asks you to "import" or "restore" your wallet by entering your 12 or 24-word recovery phrase, every word you type is streamed straight to the attacker. From that phrase they derive every address on every chain and sweep the funds. This is the most direct and most common method.
2. Address swapping on copy and paste. Some malicious extensions sit quietly and watch your clipboard. When you copy a wallet address to send funds, the extension silently replaces it with the attacker's address before you paste. You see a long string that looks right, hit send, and the money goes to the thief. People rarely verify all 42 characters of an address.
3. Malicious transaction injection. A fake or trojanized wallet can modify the transactions and approvals it presents for signing, so the prompt you approve is not the one you intended. A "connect" or "claim" turns into a token approval that hands the attacker spending rights, the same mechanic behind Permit2 signature attacks.

Whichever method is used, the outcome is the same: funds leave addresses you control and do not come back. For the full picture of how a stolen key turns into an empty wallet, see our 2026 wallet-drainer guide.

How to verify a real wallet extension before you install

The good news is that verification is fast once you make it a habit. Do these in order, every time.

• Start at the official website, not the store. Type the wallet's real domain into your address bar yourself: metamask.io, phantom.com/download, trustwallet.com, coinbase.com/wallet, exodus.com, okx.com, or keplr.app. Then click the official "Download" or "Add to browser" link the site gives you. That link points to the genuine store listing.
• Never install from a search ad. Scammers buy ads for "metamask download" and "phantom wallet" that sit above the real result and point to a lookalike. The top of a search page is the most dangerous place to click for crypto software.
• Never install from a DM, email, or video description. "Here is the wallet I use, grab it here" is a classic delivery for a fake. Verify independently through the official site instead.
• Check the publisher and review count on the listing. Once you reach the listing, confirm the publisher name matches the company and the review count and history look genuine, not a brand-new extension with a handful of glowing reviews. This is a secondary check, not a replacement for arriving via the official link.
• Watch for "verify", "validate", "sync", or "connect to activate" steps. A real wallet sets up by generating or restoring a seed on your own machine. It does not route you through a web "verification" flow to "activate" the extension.

Phantom states this plainly in its own guidance, telling users to install Phantom only from phantom.com/download or the official app stores, because counterfeit versions appear in browser and app stores and can steal funds.

The one rule that kills every version of this scam

However the fake is delivered, a fake store extension, a cloned download page, a fake "wallet update" popup, every path ends at the same place: a screen asking for your recovery phrase or private key. So memorize the rule that defeats all of them. A real wallet never asks you to type your recovery phrase into a website or a separate popup. Your seed is entered only inside the wallet itself, during first setup or when you deliberately restore. It is never typed into a browser tab you reached from a link, never into a "verify your wallet" form, never into a support chat, never into an "update required" prompt.

This is exactly the same rule that defeats hardware-wallet phishing like the fake Ledger email scam and the fake Trezor seed-phrase scam. The brand and the delivery method change. The kill shot never does. The instant anything asks you to type your 12 or 24 words anywhere other than the wallet's own setup screen, you are being robbed.

The fake download pages and lookalike sites that push these extensions

Fake extensions do not only live in the store. A large share of them are distributed through lookalike wallet websites and fake download pages, the link layer that the seed-stealing extension sits behind. These pages clone the real wallet's homepage, show a big "Download for Chrome" button, and either hand you a malicious extension or a malicious installer. The giveaway is always the domain: the page looks like MetaMask or Phantom, but the address bar shows something like metamask-wallet-verify[.]app, phantom-extension-download[.]com, or trustwallet-connect[.]net. None of those are the real domain. They are built to read as "the wallet" at a glance to someone in a hurry.

The same operators also run fake "connect your wallet", "restore", and "wallet verification" pages that the fake extension or a phishing message funnels you toward. These are the surfaces a link-and-page scanner can actually catch. If a page carries a wallet brand but sits on a domain that is not the wallet's official one, that is a hard signal something is wrong, no matter how perfect the design looks.

What to do if you already installed a fake wallet extension

If you typed your seed into a fake extension or a fake wallet page, assume the worst and move fast. Drainers are automated and your funds may already be moving.

1. Move everything to a fresh wallet immediately. From a different, clean device, create a brand new wallet with a brand new seed and send all assets out of the exposed addresses, highest-value chain first. Race the drainer.
2. Remove the malicious extension and scan for malware. Uninstall it from the browser, then run a reputable malware scan in case it dropped anything further. Do not reuse the exposed seed for anything, ever.
3. Check every chain, not just one. A seed controls Bitcoin, Ethereum, Solana, Polygon, Arbitrum, Optimism, Base, BNB Chain, and any Layer 2 you have touched. A wallet that looks empty on one explorer may still hold funds elsewhere. Our seed phrase stolen rescue guide walks through tracing and reporting.
4. Report it. Report the extension to the browser store so it can be removed, then file with the FTC at reportfraud.ftc.gov and the FBI at ic3.gov (US). Be honest about the odds: once a seed is exposed, funds are usually unrecoverable, which is why getting the install right the first time matters more than any rescue step.

Staying safe with wallet extensions going forward

Because crypto is a permanent target, the fakes will keep coming. Your defense has to be a habit, not a hope.

• Bookmark each wallet's real site and install only from there. Muscle memory beats vigilance. Use the bookmark, click the official store link, ignore search ads.
• Your seed lives only inside the wallet. Treat any on-screen request to type it, anywhere else, as proof of a scam, no matter how official the page looks.
• Verify addresses before sending. Check the first and last several characters of a pasted address, and ideally compare the full string, to defeat clipboard-swapping extensions.
• Keep your browser extensions lean. Audit what you have installed and remove anything you do not recognize or no longer use. A trojanized extension you forgot about is still a risk.
• Install a browser-level phishing shield. SafeBrowz checks every page against 550+ known-impersonated brands, including major crypto wallets, plus AI content analysis in 100+ languages that catches new fake wallet download and "verify" pages before they reach static blocklists. We also cover the fake-CAPTCHA delivery trick in our ClickFix protection guide.

FAQ

For a broader framework on spotting fake websites across any brand, see our guide on how to tell if a website is a scam, our explainer on the pig butchering crypto scam, and our roundup of the best anti-scam browser extensions 2026 if you are choosing a wallet-protection layer.

How SafeBrowz blocks this threat

SafeBrowz scans links and pages, not extension binaries. So it cannot inspect what a wallet add-on does once installed, and it would not pretend to. What it does catch is the link layer this scam runs on: the fake download pages, lookalike wallet sites, and "verify your wallet / connect / restore" pages that distribute and feed these fake extensions. SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. A wallet brand on a non-official domain, such as a metamask or phantom lookalike download page, is flagged instantly.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious domains.
• Layer 3 - AI deep scan (Premium): AI content analysis via our proxy, in 100+ languages, catches novel fake wallet download and seed-entry pages in seconds, before they reach static blocklists.

You verify the extension itself through the official store. SafeBrowz catches the malicious link and page layer that gets you there in the first place. Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

Block fake wallet download and seed-entry pages before you can click them

SafeBrowz is a free browser extension that catches fake MetaMask, Phantom, Trust Wallet, Ledger, and 550+ other impersonated brands in real time. AI content analysis in 100+ languages identifies new fake wallet pages the moment they launch, not months later when they hit public blocklists. Premium adds wallet drainer JavaScript detection for $14.99 per year. The core protection is free forever.

Add to Chrome Add to Firefox Add to Edge