- Researchers found more than 40 harmful Firefox extensions designed to steal cryptocurrency wallet secrets.
- The fake extensions imitated trusted wallet tools from companies like Coinbase, MetaMask, and others.
- The malicious add-ons used fake five-star reviews and copied branding to appear authentic to users.
- The campaign, active since at least April 2025, primarily targeted users by taking information directly from browser activity.
- Mozilla has removed nearly all involved extensions and introduced new detection measures, but users are advised to verify extensions before installation.
Cybersecurity researchers have identified over 40 malicious browser extensions in the Mozilla Firefox Add-ons store that steal cryptocurrency wallet information. The campaign, which started by April 2025 at the latest, involved extensions impersonating legitimate crypto wallet tools to obtain sensitive user data.
These extensions posed as authentic add-ons for platforms such as Coinbase, MetaMask, Trust Wallet, and others, according to Koi Security researcher Yuval Ronen. Attackers uploaded new malicious versions as recently as last week, while boosting the extensions’ perceived popularity with hundreds of fake, five-star reviews. These reviews far outnumbered actual user installations, making the add-ons appear reputable.
“These extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox,” Ronen wrote in a detailed analysis. Attackers often cloned open-source versions of real extensions, adding their own code to steal wallet keys and seed phrases. The malicious software also collected victims’ external IP addresses and sent the data to attackers’ remote servers.
These add-ons worked directly inside the browser instead of using phishing websites or misleading emails. This made them more difficult for standard antivirus or anti-phishing tools to detect. “This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection,” Ronen explained.
Investigators found Russian-language notes in the source code, as well as evidence from a server used by the campaign, suggesting a Russian-speaking group was behind the operation.
Mozilla has removed all affected extensions except for one linked to MyMonero Wallet. The company has also started using a new early detection system to spot scam crypto wallet extensions before they are widely downloaded.
Experts recommend that users only install extensions from verified publishers and monitor add-ons for suspicious changes.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Bangladesh Joins China-Pakistan CPEC, Boosts De-Dollarization Push
- XRP Jumps 3.5% as Bullish Options Surge, ETF Hopes Hit 95%
- Nexo Partners with DP World Tour in Historic Golf Deal
- Vitalik Buterin Donated and Burned 460T Shiba Inu Tokens in 2021
- OpenAI Disavows Robinhood’s Tokenized Stock Giveaway as “Fake”