Critical Flaws in Browser Wallets Allow Attackers to Drain Funds

A new wave of critical vulnerabilities has been discovered in several popular browser-based cryptocurrency wallets, exposing millions of users to the risk of having their funds silently drained.

Security researchers have identified flaws in wallets like Stellar Freighter, Frontier Wallet, and Coin98 that allow attackers to steal funds or recovery phrases without any phishing, social engineering, or user approval—even if the wallet is locked or the user never clicks “Connect Wallet”1.

The attack can be triggered simply by visiting a malicious website.

Once exploited, attackers can silently access the wallet’s secret recovery phrase or directly initiate fund transfers, making the breach difficult to detect and trace.

According to the report by Coinspect,These vulnerabilities highlight a growing threat as new wallets enter the ecosystem without relying on well-tested, open-source codebases.

How the Attacks Work: Exploiting Wallet Architecture

Browser wallets typically operate by injecting code into each browser tab, establishing a communication channel between the wallet and decentralized applications (dApps).

This architecture, while convenient, can introduce risks if not carefully managed.

In the case of Stellar Freighter, a design flaw allowed attackers to confuse internal message handlers, enabling them to trigger sensitive functions like displaying the secret recovery phrase directly from a malicious site.

Frontier Wallet suffered from a similar issue. Its Provider API exposed internal methods that could return the encrypted secret recovery phrase, even when the wallet was locked.

This allowed attackers to quietly obtain the encrypted phrase and attempt offline brute-force attacks or use targeted phishing to steal the password.

Coin98 Wallet’s vulnerability stemmed from its internal messaging system.

Attackers could send specially crafted messages that mimicked legitimate user actions, allowing them to unlock the wallet and sign transactions without any user interaction, resulting in immediate fund drains.

Security Implications and How to Stay Safe

These vulnerabilities are particularly dangerous because they require no user interaction—no clicks, no approvals, not even a connection to a dApp.

The attacks can occur silently in the background, with users completely unaware until their funds are gone.

Even more concerning, attackers can delay exploitation, waiting until the wallet is funded before stealing assets, making the breach even harder to correlate and investigate.

Wallet vendors must prioritize robust security measures, including strict separation of internal communication channels and rigorous code audits.

Users are advised to keep wallets updated, use wallets with strong security reputations, and remain cautious about visiting unfamiliar sites, even if they never interact with their wallet on those sites.

Risk Factor Table

Risk Factor	Description	Impact Level
Pre-Connection Exploitation	Attackers can wait for the wallet to be funded before draining assets	Critical
Silent Secret Phrase Exposure	Attackers can steal recovery phrases without user knowledge	Critical
No User Interaction Required	Exploits require no clicks, approvals, or wallet unlocks	High
Delayed Exploitation Possibility	Attackers can wait for wallet to be funded before draining assets	High
Direct Transaction Authorization	Attackers can initiate transactions as if they were the user	Critical
Encrypted Phrase Brute-Force Attack	Stolen encrypted phrases can be brute-forced offline	Medium
Poor Separation of Message Channels	Flawed architecture allows confusion between UI and API messages	High

These findings underscore the urgent need for both wallet developers and users to remain vigilant as the Web3 ecosystem rapidly evolves.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates