Over 40 Malicious Firefox Extensions Steal Crypto Wallet Secrets

Over 40 Malicious Firefox Extensions Impersonate Crypto Wallets, Steal User Data

  • Researchers found more than 40 harmful Firefox extensions designed to steal cryptocurrency wallet secrets.
  • The fake extensions imitated trusted wallet tools from companies like Coinbase, MetaMask, and others.
  • The malicious add-ons used fake five-star reviews and copied branding to appear authentic to users.
  • The campaign, active since at least April 2025, primarily targeted users by taking information directly from browser activity.
  • Mozilla has removed nearly all involved extensions and introduced new detection measures, but users are advised to verify extensions before installation.

Cybersecurity researchers have identified over 40 malicious browser extensions in the Mozilla Firefox Add-ons store that steal cryptocurrency wallet information. The campaign, which started by April 2025 at the latest, involved extensions impersonating legitimate crypto wallet tools to obtain sensitive user data.

- Advertisement -

These extensions posed as authentic add-ons for platforms such as Coinbase, MetaMask, Trust Wallet, and others, according to Koi Security researcher Yuval Ronen. Attackers uploaded new malicious versions as recently as last week, while boosting the extensions’ perceived popularity with hundreds of fake, five-star reviews. These reviews far outnumbered actual user installations, making the add-ons appear reputable.

“These extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox,” Ronen wrote in a detailed analysis. Attackers often cloned open-source versions of real extensions, adding their own code to steal wallet keys and seed phrases. The malicious software also collected victims’ external IP addresses and sent the data to attackers’ remote servers.

These add-ons worked directly inside the browser instead of using phishing websites or misleading emails. This made them more difficult for standard antivirus or anti-phishing tools to detect. “This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection,” Ronen explained.

Investigators found Russian-language notes in the source code, as well as evidence from a server used by the campaign, suggesting a Russian-speaking group was behind the operation.

Mozilla has removed all affected extensions except for one linked to MyMonero Wallet. The company has also started using a new early detection system to spot scam crypto wallet extensions before they are widely downloaded.

Experts recommend that users only install extensions from verified publishers and monitor add-ons for suspicious changes.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

Judge Allows Disputed Testimony in Tornado Cash Co-Founder Trial

A U.S. judge allowed an IRS agent to testify about the movement of stolen...

IRS Agent Testifies on Roman Storm’s Control Over Tornado Cash Funds

Prosecutors in the Tornado Cash case used IRS agent testimony as they prepare to...

Mimo Shifts Tactics: Targets Magento and Docker for Crypto Mining

A threat group known as Mimo is targeting e-commerce systems and cloud services to...

Alphabet Beats Q2 Estimates, Raises AI Capex Forecast to $85B

Alphabet reported quarterly revenue of $96.4 billion, exceeding Wall Street expectations. Artificial Intelligence efforts helped...

WisdomTree Reveals USDW Stablecoin Plans, Expands Crypto Offerings

WisdomTree revealed details of its stablecoin approach and made public its Stellar-based stablecoin, USDW.USDW,...

Must Read

Top 10 BEST Crypto Trading Books for New Traders

If you're thinking of diving into the crypto trading space, acquiring solid knowledge isn't just recommended - it's essential to protect your investment.Learning...