In a significant cybersecurity revelation, Koi Security has uncovered a large-scale campaign involving over 40 malicious Firefox extensions designed to steal cryptocurrency wallet credentials. These fake extensions, which impersonate trusted wallet tools such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, MyMonero, Bitget, Keplr, Ethereum Wallet, and Filfox, have been active since at least April 2025 and remain a persistent threat. This discovery underscores the growing sophistication of cyberattacks targeting the cryptocurrency ecosystem and the urgent need for heightened vigilance among Firefox users.
Mechanics of the Malicious Campaign
The malicious extensions are meticulously crafted to appear legitimate, often cloning the open-source codebases of genuine wallet extensions and embedding spyware within seemingly harmless files. Once installed, these extensions extract sensitive wallet credentials, such as seed phrases and private keys, directly from targeted websites. The stolen data is then transmitted to remote servers controlled by attackers, enabling them to access and drain users’ cryptocurrency wallets.
To bolster their credibility, attackers employ deceptive tactics, including artificially inflating the number of 5-star reviews, sometimes adding hundreds of fake reviews that exceed the extensions’ actual installation counts. This creates an illusion of authenticity, tricking unsuspecting users into believing the extensions are widely adopted and trustworthy. The campaign’s ongoing nature, with new extensions uploaded to the Firefox Add-ons store as recently as last week, indicates that cybercriminals are actively refining their approach to evade detection.
| Aspect | Details |
| Number of Extensions | Over 40 |
| Targeted Wallets | Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, MyMonero, Bitget, Keplr, Ethereum Wallet, Filfox |
| Method of Attack | Extracts credentials from websites, sends to attacker-controlled servers |
| Deceptive Tactics | Fake 5-star reviews, cloned legitimate code with hidden malicious scripts |
| Campaign Duration | Active since April 2025, ongoing with recent uploads |
Impact on Cryptocurrency Users
The consequences of installing these malicious extensions are severe. Users risk losing their entire cryptocurrency holdings, as stolen credentials allow attackers to transfer funds to their own wallets. Given the irreversible nature of blockchain transactions, recovering stolen assets is nearly impossible. Last year, cybercriminals stole over $494 million from more than 300,000 wallet addresses through similar wallet-draining attacks, highlighting the scale and impact of such threats.
The campaign’s focus on popular wallets like MetaMask and Coinbase, which are widely used by both novice and experienced crypto investors, amplifies its potential reach. The use of browser extensions as an attack vector is particularly concerning, as they are often perceived as convenient tools for managing digital assets. This incident serves as a stark reminder that even seemingly trustworthy browser add-ons can pose significant risks.
Mozilla’s Response and Detection Efforts
Mozilla has taken proactive steps to combat the threat of malicious extensions. Andreas Wagner, Mozilla’s Add-ons Operations Manager, stated that the organization has removed hundreds of scam extensions, including fake crypto wallets, over the past few years. In response to the growing prevalence of such attacks, Mozilla has introduced a new system specifically designed to detect crypto-draining add-ons on the Firefox Add-ons store. However, Wagner acknowledges the challenge, describing it as a “constant cat-and-mouse game” as attackers continuously adapt to bypass detection methods.
Despite these efforts, the ongoing nature of the campaign suggests that some malicious extensions may still be available for download, emphasizing the need for users to exercise caution when selecting browser add-ons.
Broader Context of Cryptocurrency Security
This incident is part of a broader trend of escalating cyber threats targeting the cryptocurrency ecosystem. As the value and adoption of cryptocurrencies like Bitcoin and Ethereum continue to rise, cybercriminals are increasingly exploiting vulnerabilities in digital wallets, exchanges, and related tools. Browser extensions, due to their direct access to user data and website interactions, have emerged as a prime target for such attacks.
The campaign’s suspected ties to Russian-speaking threat actors, inferred from Russian-language comments in the malicious code and metadata from a command-and-control server, highlight the global nature of cybercrime. Similar attacks have been reported in the past, such as OKX’s January 2025 warning about fake Firefox extensions impersonating its wallet, indicating that this is a recurring issue across the crypto space.
The rise in phishing attacks, malware, and social engineering tactics targeting crypto users underscores the need for robust security measures. According to Cointelegraph, phishing attacks in cryptocurrency often exploit trusted platforms, making it critical for users to verify the authenticity of tools and services they use.
How Users Can Protect Themselves
To safeguard their digital assets, Firefox users and cryptocurrency holders are advised to adopt the following best practices:
- Verify Extension Sources: Only install extensions from verified publishers, ideally directly from the official website of the wallet provider. For example, check the official MetaMask or Coinbase website for links to their legitimate extensions.
- Skepticism Toward Reviews: Do not rely solely on ratings or reviews, as these can be manipulated. Cross-verify the extension’s authenticity through trusted sources.
- Monitor Browser Behavior: Watch for unusual activities, such as unexpected pop-ups or unauthorized updates, which may indicate a malicious extension.
- Use Allowlists: Employ browser features or third-party tools to create allowlists, ensuring only trusted extensions are active.
- Keep Software Updated: Regularly update Firefox and installed extensions to patch security vulnerabilities.
- Secure Wallet Credentials: Store seed phrases and private keys offline, preferably in a hardware wallet, to minimize exposure to online threats.
| Prevention Tip | Description |
| Verify Extension Sources | Install only from official wallet provider websites |
| Skepticism Toward Reviews | Cross-check authenticity, as fake reviews can mislead users |
| Monitor Browser Behavior | Look for unusual activities or updates indicating malicious extensions |
| Use Allowlists | Restrict active extensions to trusted ones only |
| Keep Software Updated | Update browser and extensions to address security vulnerabilities |
Looking Ahead
The discovery of over 40 malicious Firefox extensions targeting cryptocurrency wallets serves as a critical wake-up call for the crypto community. As cybercriminals continue to exploit trusted platforms and tools, users must remain vigilant and proactive in protecting their digital assets. Mozilla’s ongoing efforts to enhance detection systems are a step in the right direction, but the persistent nature of these attacks highlights the need for collective action from users, developers, and security experts.
The cryptocurrency ecosystem is evolving rapidly, and with it, the sophistication of cyber threats. By adopting robust security practices and staying informed about emerging risks, users can better safeguard their investments in this dynamic digital landscape.