Author: Lisa & Aro
In today's Internet environment, threats such as malware, viruses, and phishing attacks are emerging in an endless stream. Installing antivirus software (such as AVG, Bitdefender, Kaspersky, Malwarebytes and other internationally renowned products) can help users prevent malicious programs and improve system security. However, the role of antivirus software is to provide basic security protection. It can only reduce risks and cannot guarantee absolute security. Confrontation is a dynamic process. Installing antivirus software is only the first step to improve security. At the same time, antivirus software itself may also have false positives, bringing additional risks.
Recently, some users reported that after using antivirus software, some browser extensions (especially cryptocurrency wallet extensions) were falsely reported as malware, resulting in the isolation or deletion of the extension's JavaScript files, and ultimately the extension wallet was damaged and could not be used normally.
For Web3 users, this situation is particularly serious, because crypto wallet extensions usually store private keys, which, if not handled properly, may lead to wallet data loss or even inability to recover assets. Therefore, it is crucial to understand how to properly restore extension data that has been misreported and isolated.
If you find that the browser extension is damaged due to a false positive report from the antivirus software, it is recommended to recover it by following the steps below:
1. Recover files from the quarantine area, do not uninstall the extension
If you find that a certain software or extension cannot run, check the "Quarantine" or "History" of the antivirus software as soon as possible to find the falsely reported file, and do not delete the quarantined file.
If the file is still in the quarantine area, select "Restore" and add the file or extension to the trusted list to prevent false positives again.
If the file has been deleted, please check whether there is an automatic backup or use a data recovery tool to recover it.
Remember: Do not uninstall the extension! Even if the extension is damaged, there may still be files related to the encrypted private key stored locally, and it is still possible to recover it.
2. Back up and find local extension data
Extension data is usually stored in the local disk. Even if the extension cannot be opened, you can still find related data for recovery (taking MetaMask as an example for extension ID: nkbihfbeogaeaoehlefnkodbefgpgknn):
Windows path reference: C:\Users\USER_NAME\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Mac path reference:
~/Library/Application Support/Google/Chrome/Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn
It should be noted that if Chrome uses multiple account configurations, the Default in the path may become Profile 1/Profile 2. You need to check the specific Profile directory and adjust the path according to the actual situation. It is recommended to back up the complete directory of the target extension as soon as possible so that it can be restored when a problem occurs.
3. Rough recovery method: overwrite the local extension directory
If the extension is damaged due to a false alarm, the most direct way is to overwrite the backed-up extension data directly to the extension directory corresponding to the local path in a new computer or new browser environment, and then reopen the extension.
4. Advanced recovery method: manually decrypt private key data
If the extension still cannot be opened or the data is missing, you can try a more advanced recovery method, that is, manually decrypt the private key data to recover. Take MetaMask as an example:
Search for the MetaMask extension ID locally on your computer and find the following directory: C:\Users\[User]\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
This directory may contain ldb/log files, which store encrypted private key data. You can use MetaMask's official Vault decryptor tool (https://metamask.github.io/vault-decryptor/) to decrypt.
Decryption steps: Open MetaMask Vault decryption tool -> Copy the encrypted content in the ldb/log file -> Decrypt using the extended original password -> After obtaining the private key, re-import the wallet.
If the MetaMask extension can still open certain pages (such as chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/home.html), you can try running the following code to obtain the encrypted private key data:
Then, copy the vault data to the MetaMask Vault decryption tool for decryption.
5. Write a custom recovery tool
If the above method cannot recover the wallet data, the user can write a script to extract the extended storage data from the local database file and then decrypt it. Here, PhantomKeyRetriever is used as a template to write the underlying principles and implementations of different wallet recovery tools as follows:
Wallet plugins usually store sensitive data in a database or file on the local system. Browser extension wallets (such as Phantom, MetaMask, etc.) use the storage API provided by the browser to save encrypted data in the browser's local storage area, usually a database system such as LevelDB or IndexedDB. Regardless of the wallet type, a key principle is that data is always stored in encrypted form to ensure that even if the data is copied, it cannot be accessed without the correct password.
Most crypto wallets use a multi-layer encryption architecture to enhance security. First, the user's master password is used to encrypt an intermediate key (usually called an "encryption key" or "decryption key"). This intermediate key is then used to encrypt the actual private key or mnemonic. This design makes it so that even if the wallet application's code is tampered with, the attacker needs to know the user's password to obtain the private key. This multi-layer design also allows the wallet application to only decrypt the intermediate key after the user logs in, without having to re-enter the master password for each operation.
The process of writing a wallet recovery tool usually includes:
Locate and extract encrypted data (read data from LevelDB/IndexedDB).
Analyze the data structure and identify the encrypted private key/mnemonic.
Require the user to enter the wallet password and calculate the decryption key through KDF (such as PBKDF2 or Scrypt).
Decrypt the intermediate key and then decrypt the private key/mnemonic.
This process requires precise knowledge of the wallet's encryption scheme and data storage format, which usually needs to be obtained through reverse engineering or analysis of the wallet's open source code.
Take the PhantomKeyRetriever tool as an example. This is a script specifically designed to extract the Phantom wallet mnemonics or private keys from Chrome browser data. SlowMist has now open-sourced this tool on GitHub (https://github.com/slowmist/PhantomKeyRetriever). Its core principles are as follows:
Read the Chrome LevelDB database and copy the relevant data to a temporary directory.
Traverse the database to find the encryption key and wallet seed information stored by the Phantom wallet.
The user enters the Phantom password, and the script uses PBKDF2/Scrypt to calculate the decryption key.
Decrypt the wallet vault data and extract the BIP39 mnemonic or Base58 private key.
In this two-layer decryption process, the script supports two key derivation functions, PBKDF2 and Scrypt, and uses the SecretBox of the NaCl library for secure decryption. Finally, depending on the type of decrypted data, the script will generate a BIP39 standard mnemonic or extract a Base58-encoded private key.
It should be noted that other browsers that support extended wallets (such as Edge, Firefox) also work on a similar principle, which will not be repeated here.
To reduce the risk of false positives, users can take the following measures:
Regularly back up important files and browser extension data so that they can be quickly restored when a false positive occurs.
Manually add trust rules in antivirus software. For important software or extensions (such as MetaMask), you can manually add them to the trust list to prevent false positives.
Use official channels to download software and avoid installing unofficial or modified versions of applications to reduce the possibility of being marked as a potential risk by antivirus software.
The fight is always dynamic, and security strategies also need to be constantly adjusted. Installing antivirus software is important, but in the end, users are the last line of defense for their assets. When encountering false positives, users should handle it calmly, avoid directly deleting key files, and use appropriate recovery methods. Only by mastering the correct security knowledge can you truly protect your data security.
Hong Kong Asia Holdings has purchased one Bitcoin as part of a strategic shift towards cryptocurrency, signaling its commitment to Bitcoin as a core asset. The company is also rebranding to "Moon Inc." and appointing new leadership to support its Bitcoin-focused future.
AnaisBinance co-founders CZ and Yi He have denied sale rumours, emphasizing the exchange’s strong position despite legal challenges. CZ blamed competitor misinformation but acknowledged possible minor investments from small stakeholders. Which rival is behind the narrative?
CatherineHackers breached the Saudi Law Conference’s X account to promote scam meme coins linked to Crown Prince Mohammed bin Salman, leading to a swift rug pull that wiped out over 90% of the tokens' value.
KikyoAustralian police dismantled a crime gang involved in stealing crypto ATMs and trading cards across Melbourne. Four men were arrested, with two facing multiple charges, and the stolen items included firearms, car keys, and valuable collector cards.
WeatherlyAI models exhibit cognitive impairments similar to those in human patients with posterior cortical atrophy, a form of Alzheimer’s. Even AI is subject to cognitive decay over time—what does this mean for its future?
CatherineThe official Trump meme coin has announced an airdrop for Presidents' Day, available only to those who’ve purchased from the official Trump store. Despite the promotion, the TRUMP token has dropped a 8% in the last 24 hours.
KikyoA programmer named Hu Lezhi burned $7 million in Ethereum in protest against alleged brain control, leaving on-chain messages that read like a suicide note and detailed his feelings of constant surveillance and manipulation. He also donated funds to WikiLeaks and accused executives, including those at WizardQuant Capital, of using brain-machine chips to control citizens.
AnaisElon Musk announced plans for xAI to start an AI-driven video game studio. He aims to use AI to change how games are made and challenge big corporations in the industry.
WeatherlyDeepSeek has launched a cost-effective AI model, competing with OpenAI and Meta Platforms Inc. In October, it also introduced draft legislation on AI use in weather services, focusing on data security and algorithm transparency.
CatherineTether has partnered with Guinea to explore blockchain and peer-to-peer technologies, aiming to support the country's digital transformation. The agreement includes initiatives to build local expertise and contribute to Guinea's "Innovation City" project.
Anais