Malicious Firefox Extensions Mimic Crypto Wallets

This campaign was discovered by researchers at Koi Security, who identified more than 40 malicious extensions that remained active on Mozilla’s store. These are not typical fakes. They are fully functioning tools for covert fund theft. The case highlights a growing problem: browser extensions remain a blind spot when it comes to protecting crypto assets. The attack is ongoing, and anyone who prioritizes convenience over verified links is at risk.

Mass Imitation of Crypto Wallets in Firefox

This is not the first time crypto wallets have been spoofed, but the scale of this campaign surpasses most previously recorded incidents. Extensions were distributed in bulk, but also through staggered uploads and under different developer names, a tactic that helped bypass filters. In some cases, the copies were uploaded via regionally diverse accounts, fostering the illusion of independent developers. The campaign’s key feature was its wide scope: it targeted many well-known brands, including both multichain wallets and native wallets built for specific blockchains. This indicates a high degree of coordination and familiarity with the preferences of the crypto community.

Researchers at Koi Security discovered more than 40 malicious Firefox extensions impersonating popular crypto wallets, including MetaMask, Trust Wallet, Coinbase Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, and others.

Attackers used the open-source code of legitimate wallets, inserted malicious scripts, and uploaded the modified extensions with identical names and icons to the official Firefox store.

The attack mechanism was insidiously clever. The extension monitored user input and, upon detecting a phrase longer than 30 characters (a typical pattern for seed phrases), intercepted and transmitted it to a remote server controlled by the attackers, along with the user’s IP address. On the surface, the extension functioned nearly identically to the original, making it almost indistinguishable from the original.

According to Koi Security, the first versions of these extensions appeared in Mozilla Add-ons as early as April 2025. Despite multiple complaints, clones of these extensions are still being uploaded to the store.

Fake Reviews and Russian Code: How the Attack Works

The attackers did more than replicate code. They recreated the entire front-facing image of trusted wallet products: names, descriptions, logos, UI components, and even reviews. Many of the extensions featured 300 to 500 fake five-star ratings, creating a false impression of popularity.

In some cases, the number of positive reviews exceeded the number of installations, a red flag in itself. But many users failed to notice this during a quick scan.

Researchers also found Russian-language metadata and comments in the code, suggesting the involvement of a Russian-speaking group behind the operation.

While Mozilla has begun rolling out pre-screening systems to identify suspicious extensions, the campaign remains active. Alarmingly, some clones remain available for installation. Beyond appearance and reviews, the attackers also used another critical tactic: forged manifest files. These listed permissions, identical to those used by legitimate wallets, enabled them to bypass automated moderation.

The malicious code was often disguised as harmless modules and loaded dynamically after installation. Some variants even included JavaScript keyloggers embedded into the interface scripts. According to BleepingComputer, “the malware sent stolen seed phrases and private keys to a Telegram bot operated by the attackers”. Self-deleting mechanisms were also present; the extension removed itself after sending the stolen data, making forensic analysis significantly more difficult. Such sophisticated techniques make detection difficult, even with manual inspection.

This is now one of the largest recorded series of fake wallet extensions ever discovered in a browser marketplace.

How to Protect Yourself: 6 Key Tips

Browser wallets are convenient, but they remain vulnerable. Even technically proficient users should stay alert. Malicious extensions can infiltrate your system silently. Below is a basic but effective list of tips to reduce your risk of losing crypto through spoofed browser add-ons.

1. Install extensions only from verified links.
   Avoid using the search feature inside Mozilla Add-ons or Chrome Web Store. Always navigate to the official wallet website and download from there.
   
2. Check developer details.
   The extension page displays who published it, when it was last updated, and which permissions it requests. These indicators are essential for evaluating safety.
   
3. Do not rely on visual ratings alone.
   Hundreds of five-star reviews can be artificially inflated. Read negative reviews and check the number of real users.
   
4. Audit your installed extensions regularly.
   Remove unused extensions. Review all installed components and ensure there are no unknown or suspicious items among them.
   
5. Use hardware wallets.
   These store seed phrases on isolated devices, making them inaccessible to browser-based tools. This is especially important for large holdings.
   
6. Keep your browser up to date.
   Firefox and Chrome have begun integrating detection systems for malicious extensions, though they are not foolproof. Updates often include new protective measures, and skipping them increases your exposure.

This incident demonstrates that fake browser extensions are not rare anomalies. They represent a real attack vector, exploiting user trust in official web stores. While the browser may have become the default interface for crypto, it still lacks the necessary security maturity. One of the most common mistakes is clicking on the top result in the extension store and unknowingly installing a malicious clone of MetaMask. The best move for users is to adopt a cautious mindset: avoid relying solely on ratings, scrutinize permissions, and only use extensions when absolutely necessary. A single spoofed extension can drain your entire wallet.