Crypto Draining Fake Wallet Extensions Flood Firefox Store

A malware campaign is leveraging malicious Firefox add-ons that impersonate legitimate crypto wallets in a bid to steal unwary users’ funds, according to a new study.

Koi Security discovered that more than 40 malicious extensions were impersonating real crypto wallets as part of the “FoxyWallet” campaign, including Coinbase Wallet, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero.

The malware campaign sees malicious code used to exfiltrate wallet secrets to attacker-controlled servers. The code checks for input strings that are longer than 30 characters to filter for realistic wallet keys/seed phrases, before sending the data to the attackers. The victim's external IP address is also transmitted to the attacker, allowing for tracking or further targeting.

Koi Security explained that the FoxyWallet creators “took advantage of the fact that official extensions are open source,” adding that, “They cloned the real codebases and inserted their own malicious logic, creating extensions that behaved as expected while secretly stealing sensitive data."

Further exploration of these malicious extensions suggest a Russian-speaking threat actor, with Russian-language comments found in their code, as well as in metadata found in a PDF file discovered on the command-and-control server.

The campaign appears to have been active since at least April, with new malicious extensions added last week, according to Koi Security. Some fake extensions were still available on the Firefox Add-ons store as recently as yesterday, despite the firm having reported their findings to Firefox using its official reporting tool.

Firefox creators Mozilla released a statement Thursday saying that the firm is “aware of attempts to exploit Firefox’s add-ons ecosystem using malicious crypto-stealing extensions,” adding that “Through improved tooling and process, we have taken steps to identify and take down such add-ons quickly.”

The firm added that many of the malicious extensions flagged in Koi Security’s report had been removed by its team before publication, and that it is “in the process of reviewing the remaining few add-ons they identified as part of our ongoing commitment to protecting users."

A "cat and mouse game"

Mozilla pointed to a recent blog post reporting on its efforts to address the threat of crypto-stealing extensions, in which its Add-ons Operations Manager Andreas Wagner noted that the firm had uncovered “hundreds” of scam crypto wallets in recent years. “It’s a constant cat and mouse game,” Wagner said, as malware developers attempt to “work around our detection methods.”

Decrypt has reached out to Mozilla and will update this article should they respond.

To avoid being a victim of FoxyWallet or similar scams, it is suggested that users only download and install extensions from verified publishers, treat extensions as full software assets, use an extension allow list to restrict installation to pre-approved, validated extensions only, and implement continuous monitoring, not just one-time scanning.