Back to articles

Crypto wallet extensions reviewed: MetaMask, Phantom & Trust Wallet security analysis

Torg Grabber targets 728 crypto wallet browser extensions. Here's how MetaMask, Phantom, and Trust Wallet hold up on security and what to watch for.

Maxim Kosterin
8 min read

If you've got real money in a browser-based crypto wallet, I want you to read this before you open it next time.

Gen Digital researchers recently published findings on Torg Grabber — a new infostealer that specifically targets 850 browser extensions, 728 of which are crypto wallets. MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Rabby, Keplr — if it stores keys in browser extension storage, it's on the list. And in December 2025, Trust Wallet's Chrome extension was compromised through a supply chain attack that drained $8.5 million, according to BleepingComputer. That wasn't theoretical. That was real money, gone.

Here's a grounded look at where these three extensions stand today.


Quick verdict

  • All three extensions are legitimate, actively maintained wallets — not malware.
  • All three are explicitly named in Torg Grabber's target list per Gen Digital's research.
  • Trust Wallet had a confirmed supply chain compromise in December 2025; the patched version (v2.69) is current as of this writing.
  • If you're holding meaningful amounts, a hardware wallet is the correct answer. Browser extensions aren't custody solutions.

What these extensions actually do

Browser crypto wallets let you interact with dApps and blockchain networks directly from your browser. No hardware device, no separate app — install MetaMask or Phantom, set up (or import) a seed phrase, and you can sign transactions directly from a Chrome tab.

The three biggest players by install count:

  • MetaMask — 30M+ installs, multi-chain, primarily Ethereum ecosystem. Developed and maintained by Consensys.
  • Phantom — 5M+ installs, Solana-first but now supports Ethereum and Bitcoin. Has published third-party security audits from Kudelski Security and OtterSec.
  • Trust Wallet — multi-chain, owned by Binance. Positioned as a mobile-first wallet with a Chrome extension option.

They all work the same way at the core: your seed phrase is encrypted and stored in the browser's extension local storage. When you sign a transaction, the extension decrypts the key locally and broadcasts the signed transaction. Your private key theoretically never leaves your device — except when it does.

Security analysis: permissions and what they expose

All three extensions request broadly similar permissions. Here's what you'll see across all of them in some combination:

  • storage — read and write extension-local key-value storage. This is where your encrypted seed phrase vault lives.
  • tabs — access to tab metadata, including which URLs you have open.
  • activeTab — access to the current tab's DOM and URL when you click the extension icon.
  • clipboardRead — read your clipboard contents. Used to paste wallet addresses.

None of these are suspicious for a wallet extension. The problem isn't the permissions themselves — it's what happens when an attacker bypasses the protections layered on top.

According to BleepingComputer, Gen Digital researchers found that Torg Grabber uses a companion tool called "Underground" to bypass Chrome's App-Bound Encryption (ABE). ABE was introduced in Chrome specifically to prevent infostealers from accessing locally stored secrets. Underground bypasses it by injecting DLLs and accessing Chrome's COM Elevation Service directly — extracting master encryption keys in the process.

Gen Digital documented 334 unique Torg Grabber samples compiled between December 2025 and February 2026. This is commodity tooling now, not a one-off. The infostealer is delivered via ClickFix clipboard hijacking — users are tricked into running malicious PowerShell commands, which then deploy the grabber.

You can see which permissions each wallet requests on Extenshi's catalog.

The Trust Wallet supply chain incident

This deserves its own section because it's the starkest illustration of how extension security can collapse from outside the extension itself.

In December 2025, Trust Wallet's Chrome extension was compromised as part of the Shai-Hulud 2.0 npm supply chain attack. According to BleepingComputer — which reported Trust Wallet's own post-incident statement — attackers compromised Trust Wallet's GitHub secrets and Chrome Web Store API key through a poisoned npm dependency. They then pushed a malicious extension update (v2.68) on December 24, 2025.

The backdoor triggered on every wallet unlock, not just during seed phrase import. It looped through every wallet in the user's account and silently exfiltrated seed phrases, disguising the data as telemetry. BleepingComputer reports that approximately $8.5 million was drained from roughly 2,520 wallet addresses.

Trust Wallet patched the extension (v2.69) and initiated a reimbursement review process for affected users. The current version of the extension does not contain the backdoor.

The attack chain here is worth memorizing: compromised npm package → exposed GitHub secrets → stolen Chrome Web Store API key → malicious update pushed silently to one million users. Nobody installed anything suspicious. Trust Wallet users just unlocked their wallet one morning.

That's the supply chain risk in action. It has nothing to do with Trust Wallet's extension code quality and everything to do with the build pipeline around it.

How MetaMask and Phantom compare

MetaMask hasn't had a comparable incident. Consensys has dedicated security resources and the extension has a long audit history. The clipboardRead permission is worth noting — MetaMask uses it for address pasting, and clipboard hijacking (where malware swaps your copied address for an attacker's address) is a common attack vector. Keep that in mind when you're copying wallet addresses on unfamiliar sites.

Phantom's track record is similarly clean. The published audits from Kudelski Security and OtterSec are public and worth reading if you're technically inclined. Phantom's permissions footprint is conservative by default. Its privacy policy does allow sharing "aggregated usage data" with third parties — standard for a consumer wallet, but worth knowing if you're privacy-sensitive.

Both MetaMask and Phantom are explicitly named in Torg Grabber's target extension list. That's not a criticism — it means attackers consider them high-value targets, which makes sense given the direct financial exposure of crypto wallets. It does mean your security posture needs to account for host-level threats, not just extension-level ones.

Check the full security report for each extension on Extenshi's catalog:

Privacy considerations

MetaMask — requests tabs and activeTab, so it can see which URLs you have open while using the extension. Telemetry (MetaMetrics) is opt-in since 2021, but the default state at setup prompts you to enable it. If you said yes during setup and haven't checked since, verify your settings in MetaMask → Settings → Security & Privacy.

Phantom — similar permissions profile. Aggregated usage analytics are collected by default. The opt-out is in Settings → Privacy. The data goes to Phantom's own analytics infrastructure, not third-party data brokers based on the current privacy policy.

Trust Wallet — the permissions profile for the current extension version (v2.69) is standard. Trust Wallet is a Binance product, which carries its own entity-level considerations for users in jurisdictions with Binance-related regulatory scrutiny. That's context, not a security finding.

Alternatives worth considering

If the browser-extension risk model concerns you, these are the realistic alternatives:

Hardware wallets (Ledger, Trezor) — Your private key never touches your computer. Signing happens on the physical device. MetaMask and Phantom both support hardware wallet connections via WalletConnect or direct USB. This eliminates the local storage risk entirely. The trade-off is a physical device to manage and protect.

Frame — An open-source system-level wallet that runs as a native desktop app rather than a browser extension. It connects to dApps via WalletConnect. Keeps signing completely outside the browser extension sandbox. Smaller ecosystem than MetaMask but a cleaner security boundary.

Rabby — A MetaMask alternative with transaction simulation — you see what a transaction will actually execute before you sign it. It's also targeted by Torg Grabber (it's a browser extension), but the transaction preview feature is genuinely useful for catching phishing transactions. Good option if you want to stay in-browser but want a better UX around signing.

Final recommendation

For small amounts and routine dApp interaction: MetaMask and Phantom are fine. Keep them updated, don't run sketchy software on the same machine, and pay attention to the ClickFix social engineering pattern (unexpected prompts asking you to paste something into a terminal or run a script are a big red flag).

For Trust Wallet specifically — the December 2025 incident is patched. Trust Wallet confirmed the fix and a reimbursement process for affected users. If you were on an auto-update, you got v2.69 without doing anything. That said, if you were on v2.68 and held significant value, I'd consider rotating seed phrases regardless.

For anyone holding meaningful value in a browser wallet: move it to a hardware wallet. This isn't about any specific extension being bad — it's about the risk profile of browser extension storage under an active infostealer ecosystem that has 728 crypto wallets on its target list and commodity ABE bypass tooling available.

See full security reports for crypto wallet extensions →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles