More than 40 malicious browser extensions for Mozilla Firefox have been uncovered, targeting cryptocurrency users by stealing wallet credentials, researchers at Koi Security revealed this week.
The campaign, which has been active since at least April 2025, involves extensions masquerading as legitimate tools from popular wallet services like Coinbase, MetaMask, Trust Wallet, Phantom, and others. The fake add-ons were uploaded to the official Firefox Add-ons store and designed to extract seed phrases and keys directly from users’ browsers.
How the scam works
According to researcher Yuval Ronen, attackers cloned open-source versions of genuine wallet extensions, injected malicious code to siphon sensitive data, and repackaged them under familiar names and logos. To appear trustworthy, the operators padded the listings with fake 5-star reviews that far exceeded actual install counts.
“These extensions maintained a believable user experience, which reduced the likelihood of immediate detection,” Ronen said. In addition to stealing wallet secrets, the rogue extensions also sent victims’ external IP addresses to remote servers controlled by the attackers.
Investigators noted Russian-language comments in the source code and metadata linking the campaign to a Russian-speaking group.
Mozilla’s response
All identified malicious add-ons, except one imitating MyMonero, have since been removed from the Firefox store. Mozilla recently stated it has implemented an “early detection system” to identify and block scam crypto wallet extensions before they gain traction.
Unlike phishing sites or emails, these browser-based attacks are harder to spot and bypass many traditional security measures.
How to stay safe
To reduce risk, experts recommend downloading extensions only from verified publishers, checking reviews critically, and monitoring for any suspicious post-installation behavior.