A major cyber alert has been sounded after the discovery of over 40 counterfeit Firefox extensions that are designed to steal wallet credentials. Koi Security has revealed this nefarious activity that majorly impacts the users of crypto wallets, including MetaMask, Coinbase Wallet, and several other ones.
These extensions mimic authentic browser extensions and stealthily steal sensitive information, endangering millions of dollars’ worth of digital assets.
Since April 2025, the fake add-ons have been uploaded by cyber attackers to Mozilla’s Firefox Add-ons shop at a steady rate. Despite a string of detections, a variety of these extensions remain onsite to this day, which suggests the campaign is ongoing.
The attackers exploit Firefox users’ trust by copying official branding from legitimate wallet extensions. They also use open-source code to insert malicious functions without altering the expected user experience.
These are imitations of the look of legitimate wallet software, including names, logos, and user interfaces. This type of similarity renders it impossible for the average user to distinguish the original and the forgery.
Once installed, the backdoor add-ons steal users’ login credentials without their knowledge. They also send the stolen data and IP address to a server controlled by the attacker.
One method utilized within this campaign is the inflation of user reviews. There were hundreds of bogus five-star reviews for many of these extensions that substantially outweighed their installations in reality.
Fake Firefox extensions target popular Crypto wallets
This is a trick that allows attackers to view the extensions as reputable and popular ones that can be easily downloaded. Koi Security linked the entire fake extensions collectively via common tactics and infrastructure indicators.
This in-depth analysis followed the campaign back to its source and revealed how uniform the attackers were in technique. The malware closely resembles the original extension but includes hidden logic designed to secretly steal sensitive user information.
Several indicators suggest that the campaign is of Russian-speaking origin. These take the form of Russian language comments embedded in code as well as metadata within a related PDF file that resides on a C&C server. Though not definitive proofs, they do help to lend credence to the suspected source.
Recommendations are that users should only have proven extensions from trusted publishers installed, regardless of how popular a tool is.
Security teams should employ allowlists and ongoing monitoring because extensions will silently update and modify behavior once installed. With the growing usage of crypto, the attack is a good reminder about the risk associated with browser-based wallet tools.
