Is wavebrowser.co safe?

encoded payload

suspicious base64-like blobs detected in page content

cloaking

Page loads content in transparent or zero-size iframe overlay

prompt injection

Hidden HTML element contains AI-targeting instructions

social engineering

Wave Browser has a documented history as a potentially unwanted program (PUP) that installs bundled software and hijacks browser settings. The site uses environmental/charitable messaging ('Save the Ocean', '4ocean partnership') as a trust-building cover to encourage downloading a browser that has been flagged by security researchers and antivirus vendors for aggressive installation and persistence behaviors. This cause-washing technique is a classic social engineering pattern designed to lower user defenses. (location: page-text.txt:1 - hero section and throughout visible content)

social engineering

The page discloses that searches are 'powered by Yahoo by default' — a hallmark of browser hijacking monetization. The framing minimizes this as a user-friendly default while burying the revenue model (search engine partnership commissions). This is deceptive presentation designed to obscure the true commercial nature of the product. (location: page-text.txt:1 - 'Searches are powered by Yahoo by default')

hidden content

The page embeds an audio element positioned off-screen using CSS: 'audio{left:-999999px;opacity:0;pointer-events:none;position:fixed;top:-999999px}'. Audio files (yad_dl_top_right.mp3, yad_edge.mp3, yad_firefox.mp3) are prefetched. The filenames suggest these are triggered during competing browser detection flows. This is hidden/non-visible content serving undisclosed behavioral purposes. (location: page.html:13 (inline style), page.html:94-96 (prefetch links))

hidden content

The page body contains a large number of A/B test flags embedded as CSS body classes: '--v2110_on --organic_maybe --bigStub_on --t2-92_on --vuentp_on --wavwbnui_on --fourTiles_on --richSuggestions_on --sponsoredGroup_on --darkmode_on --nadm_on --newTblaTag_on --apiWaveBrowNetNTP_on --CapOneLimit_on --waveNews_on --freePro_on --4ocean_on --sidebarItemRemoval_on --fifthql_on --maxSesMatchesOverride_on --taboolaBlacklistAdsCheck_on'. Flags like 'taboolaBlacklistAdsCheck_on', 'sponsoredGroup_on', 'nadm_on', and 'CapOneLimit_on' indicate hidden ad-targeting and monetization logic not disclosed to the user. (location: page.html:157 - body class attribute)

hidden content

The page exposes internal API endpoints in a publicly visible JavaScript config block: waveNewTabApi points to 'https://mywavehome.net' (a separate domain), waveCoreApi to 'https://api.wavebrowser.net', and downloadApi to 'https://download.wavebrowser.co'. The new-tab API domain 'mywavehome.net' is a separate undisclosed domain that would silently control the user's new tab page after install. (location: page.html:158 / page-text.txt:2 - window.__NUXT__.config)

malicious redirect

The download infrastructure routes through 'download.wavebrowser.co' (a subdomain), and the new tab page is silently controlled by 'mywavehome.net' — a separate domain not prominently disclosed on the marketing page. Post-install, users' new tab sessions would be redirected to this undisclosed domain, enabling search hijacking and monetization without clear user consent. (location: page-text.txt:2 - window.__NUXT__.config downloadApi and waveNewTabApi values)

social engineering

The page includes prefetched audio files named 'yad_edge.mp3' and 'yad_firefox.mp3', suggesting targeted behavioral flows that activate when users are detected as running Edge or Firefox. This implies the site serves different persuasion content based on detected browser, a form of targeted social engineering to encourage switching away from competitor browsers. (location: page.html:95-96 - prefetch audio links)