Firefox Users Beware: Over 40 Malicious Crypto Wallet Extensions Discovered

Cybersecurity firm Koi Security has uncovered a widespread malicious campaign targeting Firefox users, involving over 40 fake browser extensions designed to steal cryptocurrency wallet credentials. These deceptive extensions mimic popular wallet tools, tricking users into downloading them and compromising their digital assets.

The Deceptive Campaign Unveiled

The campaign, active since at least April 2025, utilizes sophisticated tactics to gain user trust and avoid detection. The malicious extensions impersonate well-known platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, and others. Once installed, they extract wallet credentials directly from targeted websites and transmit them to attacker-controlled remote servers.

Key Takeaways

• Impersonation: Malicious extensions mimic legitimate crypto wallet tools, using identical names and logos.

• Trust-Building: Attackers employ fake 5-star reviews and clone open-source codebases of legitimate extensions, inserting malicious logic while maintaining expected user experiences.

• Credential Theft: The extensions are designed to steal sensitive wallet credentials and seed phrases.

• Persistence: Despite warnings and reports, many fake extensions remain available for download, challenging automated detection systems.

• Attribution: While tentative, signals suggest a Russian-speaking threat actor group may be behind the campaign.

How the Attackers Operate

The attackers leverage several methods to ensure their malicious extensions appear legitimate:

1. Visual Mimicry: They use identical names and logos to the real services, increasing the likelihood of accidental installations.

2. Fake Reviews: Hundreds of fake 5-star reviews create an illusion of widespread adoption and positive feedback.

3. Code Cloning: By cloning authentic open-source codebases and injecting malicious logic, they ensure the extensions function similarly to legitimate ones, making detection difficult.

This approach allows the malicious extensions to remain undetected for extended periods, as users experience standard wallet functionality while their credentials are secretly exfiltrated.

Protecting Your Crypto Assets

To safeguard against these threats, users are advised to:

• Verify Publishers: Only install browser extensions from verified and official publishers.

• Treat Extensions as Software: Consider browser extensions as full software assets and exercise caution.

• Use Allow-lists: Employ extensions or browser settings that restrict installations to validated extensions only.

• Monitor Activity: Regularly monitor for unexpected behavior or updates in your installed extensions.

• Hardware Wallets: For significant crypto holdings, consider using hardware wallets for enhanced security.

• Avoid Browser-Based Storage: Minimize storing sensitive crypto information directly in your browser.

This discovery underscores the ongoing need for vigilance in the cryptocurrency space, as attackers continue to evolve their methods to exploit vulnerabilities and compromise user assets. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• 40+ Fake Firefox Wallet Extensions Are Stealing Your Crypto, Koi Security Warns, Cryptonews.

• Crypto Thieves Target Chrome and Firefox Users With Fake Extensions, AInvest.

• Crypto Theft Campaign Hits Firefox Users with Wallet Clones, Cointelegraph.

• 40+ Fake Crypto Wallet Extensions Found on Firefox, Coinfomania.

• Hacker Group Deploys 40 Fake Crypto Wallet Extensions on Firefox, AInvest.