Cybersecurity researchers have recently uncovered a large-scale attack campaign involving over 40 malicious browser extensions for Mozilla Firefox specifically designed to steal cryptocurrency wallet credentials, putting users’ digital assets at serious risk.
According to Koi Security researcher Yuval Ronen, these dangerous extensions are masquerading as popular crypto wallets from trusted platforms including:
Coinbase
MetaMask
Trust Wallet
Phantom
Exodus
OKX
Keplr
MyMonero
Bitget
Leap
Ethereum Wallet
Filfox
The malicious campaign has been active since at least April 2025, with some harmful extensions still being uploaded to the Firefox Add-ons store as recently as last week.
These fake extensions use several tactics to appear legitimate:
Fake 5-Star Reviews:
The attackers artificially inflated positive reviews to make their extensions look trustworthy.
Stolen Branding:
They copied the names and logos of real crypto wallets to deceive users.
Cloned Source Code:
Some original wallet extensions were open-source, allowing attackers to clone the code, add malware, and preserve the original user experience to avoid suspicion.
Stealing Wallet Secrets:
The malicious extensions are programmed to steal:
Wallet keys
Seed phrases
Victims’ external IP addresses
All stolen data is quietly sent to remote command-and-control (C2) servers.
Unlike traditional phishing attacks that rely on fake websites or emails, these malicious extensions operate inside the browser, making them:
Harder to detect
Difficult to block with regular antivirus tools
βThis low-effort, high-impact approach allowed the attackers to maintain a smooth user experience while avoiding quick detection,β said Ronen.
Evidence suggests a Russian-speaking threat actor group based on:
Russian-language comments found in the malicious source code
Metadata from files on the attackers’ C2 server
Mozilla has removed most of the identified extensions, except for MyMonero Wallet.
Mozilla has also developed an early detection system to block scam crypto wallet extensions before they spread.
βοΈ Only install browser extensions from verified, trusted developers.
βοΈ Regularly review installed extensions.
βοΈ Avoid extensions with suspiciously high ratings but low installation numbers.
βοΈ Stay updated on cybersecurity alerts.
The discovery of these malicious Firefox extensions highlights the growing threat to cryptocurrency users. Browser-based attacks are becoming more creative and harder to detect. At CCIE Academy, we always recommend staying alert and following best security practices when dealing with browser add-ons and crypto assets.
For more cybersecurity updates and professional training, visit us at ccieacademy.org.
