In Q1 2026 alone, security researchers documented at least 17 fake wallet extensions in the Chrome Web Store, several seeded under stolen publisher accounts that carried the platform’s “verified publisher” badge. The “is this wallet real?” question is no longer paranoid — it’s the table-stakes due-diligence step before you put real money behind any wallet, regardless of how legitimate the listing appears at a glance.
There are three independent things to verify, and a real wallet will pass all three. A fake will fail at least one — usually conspicuously.
1. The publisher and the path you arrived through. A real wallet’s install page is reached by typing the URL by hand from a known-good source — the QR code printed on the device’s box, the wallet’s official documentation site that you bookmarked years ago, the project’s GitHub repository under the right organization. Real wallets do not need to be discovered through a Google sponsored result, a Twitter DM, or a Discord pin. If the path you took to the install link involved any of those, treat the destination as suspicious until you’ve verified it independently against the project’s documentation.
When you reach the listing, click the publisher name. Real wallet extensions and apps publish under the wallet vendor’s domain (metamask.io, phantom.app, acinq.co for Phoenix). They do not publish under random Gmail addresses, generic-looking developer names, or domains registered last month. Cross-check the domain against the wallet’s official site by typing it independently — same domain in both places is a strong signal; different domains, especially homoglyph-similar ones, is the strongest single red flag of a clone.
2. The binary itself. Once you’ve downloaded an installer or app file, compute its SHA-256 hash and compare it against the hash the vendor publishes on their official site. Most reputable wallets — Bitcoin Core, Sparrow, Trezor Suite, Electrum, Ledger Live, Coldcard firmware — publish per-release SHA-256 (and often SHA-512) values you can match against. A few minutes of friction here is the single highest-leverage defense against a tampered installer scenario.
You can compute the SHA-256 of any wallet installer directly in your browser using our Wallet installer SHA-256 verifier. Drag the file in, get the hash, paste it into a search of the vendor’s release notes. Match = ship. No match = stop, delete the file, re-download, verify again. Several real-world drainer-as-a-service campaigns get caught at exactly this step before they ever take a private key, because the modified installer cannot reproduce the vendor’s published hash without breaking the cryptographic signature it carried.
For browser extensions, the equivalent check is harder because extensions update silently and the hash you’d verify changes each version. The strongest signal there is the install count and review history: real wallet extensions have install counts in the hundreds of thousands (or millions, for the major ones) and reviews going back years across multiple stable versions. Recently-spawned clones have orders-of-magnitude smaller counts and reviews bunched within a recent window — even when they bear a “verified publisher” badge.
3. Behavior on first run. Real wallets follow a specific, documented setup flow. You can read it in the vendor’s official onboarding documentation before you even download — and then verify the actual behavior matches as you go. A genuine Ledger asks you to set a PIN, then displays a fresh 24-word recovery phrase that the device generated on its own hardware random number generator; a tampered Ledger might display 24 words that were pre-generated by an attacker who already knows them. The way to catch that is by doing the device’s “Genuine Check” through Ledger Live before generating a seed, which validates a hardware-rooted attestation that a tampered device cannot forge.
Trezor uses an equivalent attestation through Trezor Suite. Coldcard’s “verify yourself” mode walks you through reading the device’s own integrity attestation off its screen. BitBox02 verifies the device through the BitBoxApp before unlocking. Every reputable hardware wallet has some documented genuineness check, and if the device or its setup flow does not match what the vendor’s documentation describes, that is the moment to stop and verify independently before generating any seed or sending any funds.
For mobile wallets, the analogous behavioral check is the developer name on the App Store or Play Store listing. Phoenix is published by ACINQ — not by a random “Phoenix Lightning Wallet Pro Plus” developer with three apps and no website. Wallet of Satoshi is published by “Living Room of Satoshi Pty Ltd” — the actual operating company. Real wallets are published by the actual operating organizations behind them; clones impersonate by using similar names but different developer accounts.
The combined signal. A wallet that passes all three checks — verifiable publisher path, matching binary hash, documented genuine setup flow — is overwhelmingly likely to be the real software. A wallet that fails any one of them is the moment to stop, delete what you’ve downloaded, and re-source from the wallet’s official documentation. The cumulative cost of these three verifications, run together, is about five minutes per wallet, once. The cost of skipping them and ending up with a tampered installer is the entire balance the wallet would have held.
If you’re cross-checking a specific wallet against general “is it trustworthy?” criteria — open source, reproducible builds, audit history, custodial vs self-custodial — Wallet Scrutiny is a free independent database that tracks all of those for the major Bitcoin wallets. The same project also publishes verifiability ratings that are useful for choosing between two wallets that both pass the genuineness checks above.
After installation, before depositing serious funds, validate your first receiving address with our Address validator to confirm the encoding is well-formed (Bech32 for SegWit, Bech32m for Taproot). For Lightning addresses, the Lightning address verifier does the same. None of these tools depend on the wallet — they verify what the wallet produced, which is the strongest form of cross-check.
The whole verification stack — publisher / binary / behavior — is the same one professional security teams use, just applied to consumer wallet decisions. The math is simple: a few minutes of friction once per wallet, against the entire balance you’ll trust to it. Don’t trust — verify.