中文

Fake Browser Extension Cases of 2026: How Chrome Store Phishing Extensions Beat You and the Review Process

Security · 2026-05-30 · 比特三棱镜编辑部
Ask AI

A phishing site, however well-cloned, eventually has the wrong URL; a browser extension once installed has full DOM authority and does not need a fake URL — it sits right next to your real MetaMask and may even replace its popup. Through 2025 and 2026 multiple impostor extensions of major wallets and security tools made it onto the Chrome Web Store, with one single case draining 7.2M USD from a Solana whale. This post unpacks three representative cases — the attack vectors, the tricks that beat Chrome’s review, the discovery paths — and ends with a checklist you can use to vet any future extension.

Three Chrome extension phishing patterns: fake MetaMask, fake Phantom, and fake wallet security tool

Case one: Fake MetaMask climbing to the top via “Sponsored Listing”

In February 2026 an extension named “MetaMask Wallet 2026 Edition” used Chrome Web Store paid placement to sit in the number two slot for the search “metamask”. Its icon and description were nearly identical to the official one, and installs hit 40k in 48 hours.

Its attack had three stages:

  1. Clone official source + inject malicious snippet: 95% of the codebase was the genuine MetaMask source (open-source), all standard features intact, with a hidden payload in the onApprove hook that exfiltrated the user’s private key and seed phrase to an attacker-controlled server.
  2. Delayed activation: the payload did not fire on install. It waited until the user had completed five signatures, slipping past the dynamic-test window of review.
  3. Staged sweep: with seeds in hand, the attacker transferred assets in waves over 24-72 hours to evade real-time on-chain monitoring.

The trick that beat Chrome’s review: the store relies mostly on static scanning plus partial dynamic testing, and the five-signature threshold simply sat above the review test window. Discovery came from a victim documenting the timeline on Twitter, picked up by Wintermute’s security researchers. Final losses about 3.8M USD; the extension was delisted and some funds traced.

Case two: Fake Phantom targeting Solana memecoin traders

After Solana’s late-2024 memecoin frenzy, Phantom’s user base skewed heavily towards newcomers, which made it a natural target. January 2026 surfaced “Phantom Pro”, purpose-built for Solana users:

  • The extension UI was indistinguishable from the official one, but RPC calls were silently routed through an attacker-controlled relay.
  • For every transaction, the extension modified the recipient address right before signing — replacing the address the user pasted with the attacker’s wallet, while still displaying the original on the popup.
  • Most Solana memecoin traders copy addresses from Telegram groups and never re-verify on a block explorer.

This man-in-the-middle pattern is brutal because the victim never sees the swap — only discovers it when the intended recipient says “I never got the funds”. The single largest loss: a Solana memecoin whale, one BONK transfer of 7.2M USD landing in the attacker’s wallet.

Discovery: an independent researcher decompiled the extension’s manifest.json and noticed it requested <all_urls> permissions — the official Phantom does not need it — and reported it to Chrome. The extension was delisted within 12 hours.

The catching Solana memecoins guide noted that Solana retail demographics skew newcomer-heavy; this case confirms it from a security angle.

Case three: Fake “security scanner” weaponising user vigilance

The most ironic class — malicious extensions disguised as wallet security tools. “Wallet Guardian Pro”, surfaced in November 2025, branded itself as a Web3 security audit extension that could scan balances, detect suspicious approvals, and warn about phishing sites.

Its attack logic:

  1. On install it asked for “wallet balance read” permissions, which looked reasonable.
  2. For days it behaved correctly, surfacing real public approval data.
  3. When the user visited a legitimate NFT market like OpenSea or Blur, it injected a fake “high-risk approval detected” popup claiming the wallet had a malicious approval that needed an instant one-click “repair”.
  4. The “repair” button triggered a real MetaMask signature whose payload was a setApprovalForAll to the attacker.
  5. Users trusted the “security extension” enough to sign immediately; all NFTs gone.

This case operated at the psychological layer — it first built trust and then weaponised the trust. The victim pool skewed towards security-aware users, who would normally pause at unexpected popups. Roughly 950k USD of NFTs lost.

Case Attack type Trigger Loss size Detection source
Fake MetaMask Seed-phrase exfiltration After 5 signatures ~3.8M USD Twitter user log
Fake Phantom RPC man-in-the-middle Any transaction ~7.2M USD Static decompile
Fake Wallet Guardian Trust reversal Visit NFT market ~0.95M USD Community report

Why Chrome Web Store cannot stop this

Chrome Web Store is not idle, but three structural issues remain:

  • Sponsored slots mingle with organic results, blurring the line between paid and verified.
  • Static scanning is incomplete: delayed activation and remote code loading (some extensions eval a remote payload) routinely sneak past.
  • Delisting is slow: 24-72 hours on average from report to removal, which is plenty of runway for the attacker.

Mozilla Firefox’s review is stricter but the user base is small, so attackers prioritise Chrome. The same “attackers follow the users” logic appears in the hardware wallet supply-chain risk writeup.

A checklist for vetting any extension

Run any Web3-related extension through this before installing:

  • [ ] Reach the Chrome Web Store page via a link from the project’s official website, not from Google search results.
  • [ ] Developer name exactly matches the project’s official identity — watch case, spacing, special characters.
  • [ ] Ratings look organic — review timestamps cluster naturally, not in a 24h burst.
  • [ ] Permissions match function — a wallet extension asking for <all_urls> is a red flag.
  • [ ] Install count matches project fame — a “MetaMask Enhanced” with 40k installs is almost certainly fake.
  • [ ] Open source on GitHub with recent commits.
  • [ ] After install, test for a week on a burner wallet before touching the main one.
  • [ ] Audit installed extensions periodically; remove anything unused.
  • [ ] Never trust a “one-click fix” feature from an extension.

The MetaMask phishing defence writeup carries the same “watch the permissions” principle and pairs well as cross-reading.

Extension-layer defence is independent of wallet-layer defence

Many people pin their hopes on the wallet — “I use a hardware wallet so I’m safe”. But the extension attack lands before the hardware signs: an extension can rewrite what you see, rewrite what you click, rewrite what you think you are signing. A hardware wallet then dutifully signs the modified data. By 2026 Web3 security is not just wallet security — extension hygiene has graduated into its own layer: periodic cleanup, disciplined installs, mainstream-only, minimum count. Treat it with the same seriousness as “don’t click strange links” and you will actually protect funds, instead of performing the appearance of protecting them.