Warning: There are currently over 40 fake Firefox extensions stealing cryptocurrency wallets.

2025-07-02 23:00:25

Abstract generation in progress

A sophisticated and large-scale malicious campaign has been detected, involving dozens of fraudulent extensions on the Firefox browser aimed at stealing users’ cryptocurrency wallet information.

According to a report from the security research group Koi Security, at least 40 malicious utilities have been identified, masquerading as popular wallets such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.

This campaign has been operating quietly since at least April 2025 and is still ongoing. Many malicious extensions are still appearing on the Firefox Add-ons store as of last week. These extensions work by stealing cryptocurrency wallet access information directly from the websites users visit, then sending the data to servers controlled by the attacker. Additionally, they also collect the victim’s external IP address, which may be aimed at tracking or targeting further attacks.

These utilities are designed to deceive users through common trust-building tactics such as fake 5-star ratings, interfaces and names that closely resemble the official utilities, making it easy for users to confuse them. In some cases, the attackers have copied the open-source code of the original utility, adding only a few lines of malicious code to steal data, thereby maintaining the user experience to avoid suspicion.

Koi Security stated that this campaign may originate from a Russian-speaking group, based on Russian-language comment snippets and metadata in the PDF document retrieved from the control server (C2). However, the research team notes that there is still no final conclusion on attributing responsibility.

Recommendations from Koi Security:

Only install extensions from verified developers.
You should not fully trust high ratings and reviews on app stores.
Build a whitelist of utilities permitted for use within the organization.
Perform continuous monitoring as the utility may update malware after installation.

Koi Security believes that managing browser extensions, which have deep access to the system, is an aspect of cybersecurity that has often been overlooked for a long time. Koi’s tools are currently being used by large corporations, financial organizations, and technology companies to audit and control risks from browser extensions and open-source code on platforms such as Firefox, Chrome Web Store, VSCode, Hugging Face, Homebrew, GitHub…

Han Xin

B0.49%

H-4.93%

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.