Discover 40 Malicious Firefox Extensions Stealing Crypto Wallets
In a significant cybersecurity revelation, Koi Security has uncovered a large-scale campaign involving over 40 malicious Firefox extensions designed to steal cryptocurrency wallet credentials. These fake extensions, which impersonate trusted wallet tools such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, MyMonero, Bitget, Keplr, Ethereum Wallet, and Filfox, have been active since at least April 2025 and remain a persistent threat. This discovery underscores the growing sophistication of cyberattacks targeting the cryptocurrency ecosystem and the urgent need for heightened vigilance among Firefox users.
Mechanics of the Malicious Campaign
The malicious extensions are meticulously crafted to appear legitimate, often cloning the open-source codebases of genuine wallet extensions and embedding spyware within seemingly harmless files. Once installed, these extensions extract sensitive wallet credentials, such as seed phrases and private keys, directly from targeted websites. The stolen data is then transmitted to remote servers controlled by attackers, enabling them to access and drain users’ cryptocurrency wallets.
To bolster their credibility, attackers employ deceptive tactics, including artificially inflating the number of 5-star reviews, sometimes adding hundreds of fake reviews that exceed the extensions’ actual installation counts. This creates an illusion of authenticity, tricking unsuspecting users into believing the extensions are widely adopted and trustworthy. The campaign’s ongoing nature, with new extensions uploaded to the Firefox Add-ons store as recently as last week, indicates that cybercriminals are actively refining their approach to evade detection.
Read full article in blog
Follow us:
Twitter
https://x.com/godbex_io
Telegram
https://t.me/godbex_io
Exchanger
https://godbex.io/