Auditing Browser Extensions That Touch Your Crypto: A Practical Toolkit After ShieldGuard and Coruna

In the past two weeks, two separate campaigns reminded us that your wallet's biggest attack surface isn't the smart contract — it's the browser extension sitting three pixels away from your seed phrase. ShieldGuard , dismantled by Okta Threat Intelligence in March 2026, posed as a wallet-protection extension while silently harvesting addresses, scraping full HTML from Binance, Coinbase, and MetaMask post-login, and executing remote code via a C2 server. It bypassed Chrome's Manifest V3 restrictions using a custom JavaScript interpreter inside a closed Shadow DOM. Meanwhile, Google's Threat Intelligence Group disclosed Coruna (aka CryptoWaters), an iOS exploit kit that lures users to fake exchange frontends to extract wallet seed phrases — but its distribution chain relied heavily on malicious browser extensions as the initial pivot. And just days ago, CVE-2026-3928 proved that Manifest V3's permission model still allows UI spoofing via crafted extensions — the exact vector that makes p