Browser/Mobile Wallets - Future Tool For Mass Crypto Rug?

Honestly, this post will come off as quite paranoid. As somebody that has made mistakes in the past compromising recovery phrases and thus losing some crypto assets though, I believe a heavy dose of paranoia is healthy in this space. This scenario may very well have been mentioned in a previous post (haven't found it though), but I still appreciate the discussion.

Over the past few years I've noticed at conferences, meetups, etc. hearing from hundreds of people that happily discuss downloading and using various browser extensions and mobile wallets to join different crypto communities and such. There are dozens of them from Metamask types to extensions meant to manage Nostr credentials, and the list goes on ad infinitum. I know many of these people have been in the crypto game awhile and know about hardware wallets to airgap their private keys. Yet, they DO NOT! Each week the crypto world onboards thousands more across the globe and new projects are coming online allowing people to spin up a browser/mobile wallet in minutes to get started. This got me thinking if crypto people aren’t religiously using a hardware wallet to sign every single crypto interaction and browser extension, it’s safe to assume essentially 100% of newbies are certainly not.

Now here comes the part that blows my mind and probably makes me sound like Jerry Fletcher in Conspiracy Theory. From Snowden's PRISM revelations, to the known NSO Group Pegasus spyware package (both which seamlessly bypass and negate any antivirus systems running on the device), keyloggers, etc. available to nation states (and even hackers so inclined on the dark web) this is beyond worrisome. We now know that essentially every PC and mobile phone is already cracked by entities such as the NSA, so millions of people are being monitored 24/7 and ALL activities on their devices is recorded somewhere in a city sized data center all without their knowledge. For these new wallets being used to onboard the general populace in projects this is a huge issue. Every extension and mobile wallet (many that don’t support hardware wallets currently) has the EXACT same flawed startup. Create new wallet, set password, now either copy/paste seed words or click an icon to make the seed visible in the viewport to physically write down with a pen. Either method is possibly compromised from the word go and it’s safe to assume that seed phrase may be smoked.

With every keystroke and interaction screenshot available to authorities whenever they wish, this seems like an amazing future setup to deal a coordinated crushing blow when deemed appropriate to the crypto industry. These new users might use this wallet for years to come to build out identities, social networks, accept payments, etc. never realizing that their private keys were compromised in the first minute of use. These nefarious entities could literally sit on millions of seed phrases for years, hell decades if needed, waiting for an opportune time to strike. In mere seconds they could access, drain, and co-opt millions of crypto wallets across the globe with a relatively small team. If done correctly, this exploit would make all the 2022 crypto lender collapses seem like a minor incident in terms of losses. This would likely kill any hopes of a utopian vision of the future entailing mass crypto/web3 adoption and instantaneously set the entire space back to square one.

Does this particular aspect strike anybody else as a Grand Canyon size security flaw? The only option to prevent the above scenario though is to force every new user to connect a wallet device which also sets adoption back years. All these development teams are hoping to build a brighter future, but with the above mentioned issue may very well unwittingly be setting the stage for a future crypto apocalypse.