Researchers from Koi Security have uncovered an active cyber campaign targeting Firefox users with fake browser extensions disguised as popular crypto wallets. The attackers aim to steal private keys and other sensitive user data.
How the Attack Works
The fake add-ons impersonate official extensions from Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. Once installed, the malware silently intercepts and sends wallet data, including seed phrases, to a remote server. It also captures the user's IP address, likely for tracking or targeted attacks.
According to Koi Security, the malicious actors have been active since at least April 2025. Some of the fake extensions were uploaded to the official Firefox Add-ons catalog just days ago. So far, more than 40 infected extensions have been identified, and the campaign remains ongoing and evolving.
Infiltration Mechanics
The primary promotion tactic is artificial rating inflation. Many of the malicious extensions had hundreds of fake five-star reviews despite having very few real installations. This creates the illusion of popularity and reliability, increasing the likelihood that users will download them.
Additionally, the cybercriminals copied the appearance and names of the official extensions, down to the logos and identical user interfaces. This raises the chance that users might mistakenly install the malicious version.
In some cases, attackers used legitimate open-source versions of the extensions, embedding malicious code into them. These infected versions behaved like the originals on the surface, making detection difficult and allowing longer periods of undetected activity.
Who Is Behind It
No definitive attribution has been made, but several indicators point to a Russian-speaking author. Specifically, researchers found Russian-language comments in the source code and a PDF file with Russian metadata downloaded from the command server. While not conclusive, these elements are considered significant by investigators.
Koi Security Recommendations
Experts advise users to install extensions only from verified developers, even if the add-on has a high rating. They stress the importance of treating extensions as fully-fledged software by:
- performing audits,
- limiting access,
- applying allow-lists,
- considering that extensions can update silently and change their behavior after installation.
This post is for informational purposes only and does not constitute advertising or investment advice. Please conduct your own research before making any financial decisions.
