Over 40 Malicious Firefox Extensions Steal Crypto Wallet Secrets

Over 40 Malicious Firefox Extensions Impersonate Crypto Wallets, Steal User Data

  • Researchers found more than 40 harmful Firefox extensions designed to steal cryptocurrency wallet secrets.
  • The fake extensions imitated trusted wallet tools from companies like Coinbase, MetaMask, and others.
  • The malicious add-ons used fake five-star reviews and copied branding to appear authentic to users.
  • The campaign, active since at least April 2025, primarily targeted users by taking information directly from browser activity.
  • Mozilla has removed nearly all involved extensions and introduced new detection measures, but users are advised to verify extensions before installation.

Cybersecurity researchers have identified over 40 malicious browser extensions in the Mozilla Firefox Add-ons store that steal cryptocurrency wallet information. The campaign, which started by April 2025 at the latest, involved extensions impersonating legitimate crypto wallet tools to obtain sensitive user data.

- Advertisement -

These extensions posed as authentic add-ons for platforms such as Coinbase, MetaMask, Trust Wallet, and others, according to Koi Security researcher Yuval Ronen. Attackers uploaded new malicious versions as recently as last week, while boosting the extensions’ perceived popularity with hundreds of fake, five-star reviews. These reviews far outnumbered actual user installations, making the add-ons appear reputable.

“These extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox,” Ronen wrote in a detailed analysis. Attackers often cloned open-source versions of real extensions, adding their own code to steal wallet keys and seed phrases. The malicious software also collected victims’ external IP addresses and sent the data to attackers’ remote servers.

These add-ons worked directly inside the browser instead of using phishing websites or misleading emails. This made them more difficult for standard antivirus or anti-phishing tools to detect. “This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection,” Ronen explained.

Investigators found Russian-language notes in the source code, as well as evidence from a server used by the campaign, suggesting a Russian-speaking group was behind the operation.

Mozilla has removed all affected extensions except for one linked to MyMonero Wallet. The company has also started using a new early detection system to spot scam crypto wallet extensions before they are widely downloaded.

Experts recommend that users only install extensions from verified publishers and monitor add-ons for suspicious changes.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

Saylor Sets Sights on Making MicroStrategy a Leading Bitcoin Bank

MicroStrategy aims to become a major Bitcoin-backed bank, following early predictions from Hal Finney.Founder...

Senator Lummis Unveils Crypto Tax Bill With $300 Exemption Limit

Senator Cynthia Lummis introduced a bill to give U.S. crypto users new tax benefits.The...

Chinese Hackers Exploit Ivanti CSA Zero-Days in Major France Attack

Chinese threat group exploited zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to...

Senator Lummis Proposes Bill to Exempt Crypto Taxes Under $300

Senator Cynthia Lummis has introduced a bill to remove taxes on cryptocurrency transactions under...

First Abu Dhabi Bank to Launch Middle East’s First Digital Bond

First Abu Dhabi Bank plans to issue the Middle East’s first digital bond using...

Must Read

7 Best Audiobooks on Cybersecurity

Cybersecurity has become an essential topic in our increasingly digital world. As technology evolves and becomes more integrated into our daily lives, the importance...