Fake Firefox extensions aim to steal cryptocurrency wallets

• Over 40 fake extensions compromise cryptocurrency wallets
• Criminals use wallet names like MetaMask and Coinbase
• Attacks remain active and threaten Firefox users

Cybersecurity experts have identified more than 40 malicious extensions in the Firefox browser designed to steal cryptocurrency wallet credentials. According to a report released by Koi Security, the criminals behind the operation use the names of popular platforms, such as Coinbase, MetaMask and Trust Wallet, to deceive users and collect sensitive information.

🚨 Watch out, crypto enthusiasts! Over 40 fake Firefox extensions mimicking popular wallets have been found. These phishing scams are after your private keys! Check your extensions and stay safe. 🔐 #CryptoSecurity #PhishingAlert 

— ₿itBlitz (@BitBlitz) July 3, 2025

These fake extensions pose as legitimate digital wallet tools and, once installed, secretly extract sensitive data from users, exposing digital assets to theft risks. In addition to the aforementioned, other affected brands include Phantom, Exodus, OKX, MyMonero, Bitget, Leap and Keplr.

According to report , the campaign has been active since at least April 2025, with new malicious extensions being uploaded to the Firefox Add-ons Store as recently as last week. The continued activity suggests a persistent operation, with the ability to adapt and update.

To increase the credibility of the fake extensions, the attackers used fake reviews with five-star ratings. Many of the extensions had hundreds of reviews simulating positive experiences, which increased the likelihood of being installed by unsuspecting users.

Koi Security also found clues that indicate the possible involvement of a Russian-speaking cybercriminal group. Fragments of code with comments written in Russian and metadata extracted from files hosted on the servers used in the operation reinforce this suspicion. “While not conclusive, these artifacts suggest that the campaign may have originated from a Russian-speaking cybercriminal group,” the report states.

The security firm emphasizes that the campaign is ongoing, with active extensions still available in the official store. Cryptocurrency wallet users should be extra careful when installing any add-on in Firefox, checking official sources and the authenticity of the tool.