Google has begun a broad rollout of a new Chrome security feature that ties login sessions to a device's hardware, a change that matters for anyone holding crypto wallets. Key Points: Google
Google has begun a broad rollout of a new Chrome security feature that ties login sessions to a device's hardware, a change that matters for anyone holding crypto wallets.
Key Points:
- Google released Device Bound Session Credentials, which lock browser session cookies to a computer's security chip.
- The protection blocks a common attack that lets thieves bypass two-factor (2FA) logins by stealing cookies.
- Crypto users face added risk, since infostealer malware routinely targets wallets and exchange sessions.
Reports this week detailed the wide release of Device Bound Session Credentials, known as DBSC, after months of testing across Chromium browsers.
The tool now reaches most users, from Workspace and Enterprise accounts to personal ones. It binds each login to a cryptographic key that never leaves the device.
A session cookie works like a wristband at a ticketed venue, letting a site remember a login without asking for a password or a two-factor code on every visit.
Thieves prize these files because a stolen cookie can bypass that second layer entirely, and the tokens often sell on dark-web markets. DBSC stores the key inside a Windows Trusted Platform Module or a Mac Secure Enclave, then forces the browser to prove possession before any cookie refreshes.
The result is a cookie that turns useless on another machine.
Also Read:Kalshi Wins CFTC Approval For First U.S. Bitcoin Perpetual Futures
For crypto users, a hijacked session can mean drained funds rather than a hacked inbox. Information-stealing malware now harvests browser cookies, saved passwords and wallet files in a single sweep before sending them to a remote server.
One analysis found that credential theft figured in roughly a third of intrusions tracked last year, a sign of how routine the tactic has become.
The trade has also turned industrial, with researchers flagging a subscription stealer called Storm that rents for under $1,000 a month and targets wallets through browser extensions and desktop apps.
Other strains watch for sessions tied to Binance, Coinbase, MetaMask and Trust Wallet, then lift the cookie to enter an account without a password.
Google first unveiled DBSC in 2024 before moving it through a public beta and into general release on Chrome 146 and later for Windows, with version 148 and later covering Mac.
The company enabled it by default for Workspace accounts, where administrators cannot switch it off. For traders who leave exchange tabs and wallet extensions open all day, the update quietly closes one of the simplest routes into their money.
Read Next:Dogecoin Reserves Edge Up To 28B As Whale Support Stays Weak
