Bitget Wallet - Crypto, Web3 | Bitcoin & USDT
๐ Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Blocks access to a wide range of DeFi services, including wallet management, swap feature, NFT trading, and DApp interaction, bringing a one-stop-shop experience for users looking to explore the world of crypto and blockchain. Most beneficial for cryptocurrency enthusiasts and developers seeking seamless integration with various platforms.
Overview
Secure Web3 crypto wallet extension for Bitcoin, Ethereum, DeFi, token swaps, and cross-chain transactions on 130+ blockchains.
๐น Bitcoin & Multi-Chain Token Swaps
Experience seamless cross-chain trading with Bitget Walletโyour multi-chain wallet and token swap extension for Bitcoin, Ethereum, USDT, and more. Our smart routing and gas auto-payment engine make swapping fast, efficient, and gas-optimized-all within your Chrome crypto wallet.
๐น Real-Time Market Tracking in Your Crypto Wallet
With Bitget Wallet Alpha, discover trending tokens and early trading signals across 130+ chains. Spot new opportunitiesโwhether you're tracking BTC, ETH, or altcoinsโdirectly from your crypto browser wallet.
๐น Earn Crypto with DeFi Yield Tools
Stake your assets and earn crypto with stablecoin pools offering up to 8% APY. Bitget Wallet connects you to top DeFi protocols to help you generate crypto yield safely. One-click to join, track, and withdrawโperfect for both beginners and DeFi veterans.
๐น Secure, Self-Custody Chrome Wallet
Bitget Wallet is a non-custodial crypto wallet built on MPC wallet technology. With real-time risk controls and a $300M protection fund, your Bitcoin, Ethereum, and USDT assets stay fully under your controlโinside a battle-tested self-custody wallet extension.
๐น One Wallet for Web3 on Chrome
Manage your entire portfolioโBTC, ETH, stablecoins, and DeFi tokens-in one Web3 wallet extension. From staking and swaps to market tracking, Bitget Wallet is your gateway to the decentralized future, right in your browser.
Bitget Wallet is your trusted Chrome extension for Bitcoin, DeFi, and Web3โbuilt for crypto beginners and pros alike. Secure. Powerful. Easy to use. Bitget Wallet brings crypto for everyone with seamless token swaps, DeFi tools, and self-custody security-all in one Web3 wallet.
Fastest-growing non-custodial wallet with 80M+ users worldwide.
Ranked Top 3 Web3 Wallets by users worldwide.
๐ Download Bigget Wallet now and start your Web3 journey:
Official Website: https://web3.bitget.com/
IOS App: https://apps.apple.com/us/app/bitget-wallet-crypto-bitcoin/id1395301115
Android App: https://play.google.com/store/apps/details?id=com.bitkeep.wallet
X: https://twitter.com/BitgetWallet
Telegram: http://t.me/Bitget_Wallet_Announcement
Discord: https://discord.gg/bitget-wallet
Tags
Privacy Practices
Security Analysis
Permissions
Code Patterns Detected
External Connections
Package Contents 563 files ยท 63.4MB
What This Extension Does
A Web3 wallet extension that allows users to manage crypto assets, swap tokens, and interact with decentralized applications directly from their browser.
Permissions
- *://*/*check this: This permission lets the extension access and modify any website you visit. For a wallet extension, this is necessary to interact with blockchain networks and DApps, but it also means it can potentially read or alter data on any site. โ 1
- http://localhost/*check this: This permission allows access to local development servers running on your computer. While useful for developers testing locally, it's not typically needed in production extensions and could be misused if an attacker gains control. โ 1
- storageexpected: This lets the extension save and retrieve data locally on your computer, such as wallet keys or settings. It's essential for a wallet to remember user preferences and securely store sensitive information.
- activeTabexpected: This permission allows the extension to read and modify the currently active tab's contentโimportant for interacting with DApps or performing actions on specific pages like swapping tokens.
- notificationsexpected: This lets the extension show pop-up messages to alert you about events like transaction confirmations or price changes. It's standard for wallet extensions but should not be used for tracking behavior.
- unlimitedStorageexpected: This gives the extension unlimited space to store local data on your deviceโuseful for caching large amounts of blockchain information or transaction history, but raises concerns about excessive disk usage.
- scriptingexpected: This permission allows the extension to inject scripts into web pagesโneeded for interacting with DApps and executing smart contract calls in a browser environment.
- tabsexpected: This lets the extension view and manage browser tabsโimportant for switching between wallets or monitoring transactions across multiple open windows.
- alarmsexpected: This allows the extension to schedule background tasksโuseful for periodic updates like checking balances or syncing with blockchain networks.
- sidePanelexpected: This enables a side panel that appears within the browser UI, allowing quick access to wallet features like balance checks or transaction history.
- contextMenusexpected: This lets the extension add custom menu items to right-click menus in the browserโuseful for quick actions like copying addresses or swapping tokens directly from any page.
Your Data
The extension can access and send data from any website you visit, including potentially sensitive information like login credentials or transaction details. It also communicates with several external domains for services such as analytics, support, and blockchain interaction.
Code Findings
The extension uses a dangerous JavaScript command called 'eval' that can run any code provided to it. This is risky because if an attacker could trick the extension into running malicious code, they might gain full control over your browser.
๐ก In legitimate extensions, eval() might be used to parse JSON or evaluate configuration files at runtime; however, its use here appears excessive and risky without clear justification.
The extension may be sending user dataโpossibly including browsing history or wallet informationโto external servers. While this could be part of normal operation (like syncing with a blockchain node), it's worth noting as potentially risky.
๐ก Data transmission may be required for syncing wallet state with backend services or fetching market data, which is common in DeFi wallets.
The extension makes network calls over HTTP instead of HTTPS. This means that information sent between your browser and those servers could be intercepted by attackers.
๐ก Some internal development environments may still use HTTP during testing phases; however, production deployments should always enforce HTTPS.
Trustworthiness
- Developer: No developer name or organization listed in the extension metadata; lacks verifiable identity indicators.
- Privacy Policy: A privacy policy exists but does not clearly explain how data from all origins is handled or whether it's shared with third parties beyond whatโs described in the manifest and external domains.
- Install Base: With 300K+ installs and regular updates (as per version 2.19.13), it is actively maintained but lacks transparency around developer identity.
This extension appears consistent with its stated purpose, but the presence of broad network access permissions (*://*/*) and use of eval() raises concerns about potential misuse or exploitation if compromised. Users should exercise caution when installing this extension and consider reviewing its behavior in a controlled environment before using it for real funds.
Extension Overview
A Web3 wallet extension that allows users to manage crypto assets, swap tokens, and interact with decentralized applications directly from their browser.
Permissions
- *://*/*check this: Grants broad network access via Chrome's declarativeNetRequest API; allows interception of all HTTP/HTTPS traffic from any origin. If compromised, an attacker could monitor or manipulate communications across the entire web, including sensitive financial transactions and personal information. โ 1
- http://localhost/*check this: Enables network access to localhost (e.g., 127.0.0.1 or ::1), which may allow the extension to communicate with local services such as development APIs or debug tools. Risk is elevated because it can bypass typical browser security restrictions for internal hosts. โ 1
- storageexpected: Uses Chrome's storage API (chrome.storage.local) to persistently store key-value pairs; includes access to sync storage if enabled. Could be used to persist credentials or session tokens, which would pose a risk if accessed by malicious code.
- activeTabexpected: Grants access to the current pageโs DOM via chrome.tabs.executeScript, enabling injection of scripts into the active tab. If misused, could allow manipulation of web forms or capture keystrokes during transactions.
- notificationsexpected: Uses Chrome.notifications API to display UI alerts; no data transmission occurs unless explicitly coded otherwise. However, it could potentially be leveraged in phishing attacks if abused with misleading messages.
- unlimitedStorageexpected: Allows unrestricted access to chrome.storage.local without quota limits. Could be used to persist sensitive data beyond normal expectations (e.g., logs, cached private keys), increasing attack surface if compromised.
- scriptingexpected: Enables chrome.scripting API usage, allowing dynamic script injection into tabs. If misused, could enable arbitrary code execution on visited sites or steal session data from other domains.
- tabsexpected: Provides access to chrome.tabs API, enabling tab navigation, URL inspection, and content manipulation. Could be used to track browsing habits or redirect users without consent if misused.
- alarmsexpected: Uses chrome.alarms API to trigger scheduled events in background workers; can be used to periodically poll external APIs or perform maintenance operations without user interaction.
- sidePanelexpected: Enables chrome.sidePanel API for displaying persistent panels in Chrome DevTools or sidebar views. May be used to present interactive dashboards but does not inherently expose data unless combined with other permissions.
- contextMenusexpected: Uses chrome.contextMenus API to register context-aware actions. Could be misused to inject malicious behavior into user workflows, especially if combined with scripting capabilities.
Data Exposure (Technical)
External origins contacted include cdn.bitkeep.vip, www.w3.org, conf.chainnear.com, links.ethers.org, t.me, fp-constantid.bitkeep.vip, conf.bitkeep.app, conf.bitkeep.biz, conf.bitkeep.fun, conf.bitkeep.life, conf.packcard.com, web3.bitget.com. Data transmitted may include cookies, page content (if injected), authentication tokens, and potentially keystrokes or form inputs depending on how scripts are executed. Some endpoints use HTTP instead of HTTPS, which could allow interception of data in transit.
Code Findings
Detected usage of eval() in background scripts or content scriptsโspecifically on dynamically constructed strings (not static). If these inputs come from external sources like network responses or user input, this creates a potential vector for remote code execution. The presence of eval() is particularly concerning when combined with dynamic script injection capabilities.
๐ก In legitimate extensions, eval() might be used to parse JSON or evaluate configuration files at runtime; however, its use here appears excessive and risky without clear justification.
Pattern matching detected in code that resembles attempts to send data over HTTP/HTTPS, possibly via XMLHttpRequests or fetch calls. No specific payload was identified but the structure suggests possible exfiltration mechanisms. This is especially concerning given the broad network access permissions and lack of encryption verification for some domains.
๐ก Data transmission may be required for syncing wallet state with backend services or fetching market data, which is common in DeFi wallets.
Several outbound connections are made using plain HTTP (e.g., conf.bitkeep.app, fp-constantid.bitkeep.vip). These lack TLS encryption, making them vulnerable to man-in-the-middle attacks or eavesdropping. Even if the data itself is not sensitive, it could be used for tracking purposes.
๐ก Some internal development environments may still use HTTP during testing phases; however, production deployments should always enforce HTTPS.
Code Analysis
- Obfuscation: Code appears heavily obfuscated with techniques such as identifier mangling and string encoding. This makes manual inspection difficult for security researchers trying to understand behavior or detect hidden malicious patterns.
- Content Security Policy: Content Security Policy is present but allows 'wasm-unsafe-eval' which undermines sandboxing protections. It also restricts script sources only to self, yet still permits unsafe eval usage in extension pagesโa significant weakness that could allow arbitrary code execution if exploited.
- Architecture: Built as a Manifest V3 extension with background service worker and content scripts injected into all origins (*://*/*). This architecture supports DApp interaction but increases exposure surface due to broad injection scope. Messaging between background and content scripts is likely used for cross-tab communication, though no explicit patterns were found.
Transparency
- Developer: No developer name or organization listed in the extension metadata; lacks verifiable identity indicators.
- Privacy Policy: A privacy policy exists but does not clearly explain how data from all origins is handled or whether it's shared with third parties beyond whatโs described in the manifest and external domains.
- Code Visibility: Source code appears minified/bundled, likely obfuscated. This prevents independent verification of behavior by security researchers or users who want to audit for vulnerabilities.
- Install Base: With 300K+ installs and regular updates (as per version 2.19.13), it is actively maintained but lacks transparency around developer identity.
The extension presents a high-risk attack surface due to the combination of broad network access, unsafe eval usage, and lack of developer transparency. The CSP allows wasm-unsafe-eval which undermines security boundaries; this is particularly concerning given that the extension handles sensitive financial data. Researchers should prioritize manual inspection of script injection behavior and investigate whether any remote code execution paths exist through dynamically evaluated strings.