Coming back to the browser malware idea. I'm not a programmer, but with help of ChatGPT it took me 30 minutes to modify a Chrome extension to swap the BTC address shown on a HodlHodl contract with my own BTC address using Javascript.

I took this open-source wallet to try this out: https://github.com/iamadamdev/bypass-paywalls-chrome

Only a matter of time before someone deploys this attack vector.