Crypto Heist via Firefox Extensions: Over 40 Add-ons Caught Stealing Wallets

By /

Listen to this Post

Featured Image

Introduction: A Silent Invasion in Your Browser

In a shocking revelation, cybersecurity researchers have discovered a widespread malware campaign targeting Firefox users through seemingly legitimate crypto wallet extensions. With over 40 malicious add-ons uncovered, these tools aren’t just annoying or spammyā€”they’re built to silently hijack sensitive wallet data like seed phrases, private keys, and IP addresses. What makes this campaign especially dangerous is its stealth: the malware mimics trusted brands like MetaMask and Coinbase, bypasses traditional phishing routes, and embeds itself directly into the browser environment. This isnā€™t just another scamā€”itā€™s an evolving cyberattack threatening the heart of Web3 security.

Malicious Firefox Add-ons: Cloning Trust, Stealing Crypto

Cybersecurity firm Koi Security has uncovered a malicious campaign involving more than 40 Firefox browser extensions that impersonate well-known cryptocurrency wallet services. These extensions pretend to be trusted tools from platforms like MetaMask, Trust Wallet, Coinbase, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. The campaign, which has been active since at least April 2025, continues to this day, with fake extensions recently added to the Mozilla Firefox Add-ons store.

These extensions deceive users by mimicking the name, logo, and interface of genuine wallets. Many even borrow source code from legitimate, open-source wallets, injecting malicious scripts into cloned code to stealthily harvest wallet keys and seed phrases. The stolen information is then sent to remote servers controlled by the attackers, along with victims’ external IP addressesā€”enabling more sophisticated tracking or targeting.

To bolster credibility, the hackers flood their fake extensions with hundreds of fake 5-star reviews, making them appear popular and trustworthy. This manipulation lures unsuspecting users into installation, where the malware quietly activates in the background. Unlike traditional phishing scams, which rely on deceptive websites or emails, these malicious extensions integrate directly into the userā€™s browser, making them much harder to detect with antivirus software or other conventional cybersecurity tools.

Some of the extensions were found to contain Russian-language comments in their source code, and documents obtained from the attacker’s command-and-control (C2) infrastructure further point to a Russian-speaking threat actor group. Mozilla has removed most of the malicious extensions from its store, except for one: MyMonero Wallet. In response, Mozilla has also introduced an early detection system to prevent such rogue extensions from spreading in the future.

Users are strongly advised to download browser extensions only from verified publishers and to monitor installed add-ons for suspicious behavior that could signal compromise.

šŸ” What Undercode Say: Breaking Down the Attack Strategy

Digital Deception at Scale

This cyberattack is not just opportunisticā€”itā€™s strategic. The threat actors behind these extensions use several psychological and technical tactics to maximize effectiveness. By hijacking the branding and user interface of widely-used crypto wallets, they exploit user trust and familiarity. The fake reviews further reinforce this illusion, aligning with social proof psychology to manipulate installation behavior.

The Power of Open Sourceā€”Exploited

Many legitimate crypto wallets are open-source to promote transparency. Ironically, this strength became a vulnerability. Attackers cloned these public repositories, modified key functionalities, and redistributed them with malicious intent. This highlights the ongoing debate within the cybersecurity community: how can open-source tools be made safer without compromising accessibility?

Browser as the Battlefield

This campaign proves that the browser is now a primary attack surface. These rogue extensions bypass endpoint security and traditional phishing filters. Since they’re ā€œinstalledā€ by the user, antivirus solutions are often configured to trust them. This makes browser-based attacks more insidious and dangerous than typical scams.

IP Trackingā€”A Secondary Threat

While stealing crypto is the main goal, collecting external IP addresses reveals another layer of this threat. Tracking a user’s IP can allow for broader data correlationā€”linking activity across wallets, exchanges, or even geolocating victims for targeted attacks.

Mozillaā€™s Response: A Necessary Step

Mozillaā€™s new detection system is a welcome but overdue measure. Browser extension stores have long been underregulated compared to mobile app stores. This case should serve as a wake-up call across all browser platforms: extensions must be rigorously vetted, and community reporting must be strengthened.

Community Blind Spots

Despite the growth of the crypto community, users still lack the awareness and tools to detect threats hiding in plain sight. Most assume extensions from popular stores are safe by default. The assumption of safety in ā€œapprovedā€ browser add-ons must be challenged, especially in the financial space.

āœ… Fact Checker Results

Over 40 malicious Firefox extensions were verified to be impersonating crypto wallets.
Campaign is ongoing since April 2025, with new entries still appearing in the extension store.
Mozilla has removed most add-ons and launched early detection measures šŸ›”ļø.

šŸ”® Prediction: The Future of Extension-Based Cybercrime

Expect an increase in browser-based cyberattacks, especially targeting decentralized finance (DeFi) and self-custody wallet users. As malware becomes more sophisticated, malicious extensions may soon include AI-driven behavior adaptation, making detection even harder. While Mozillaā€™s early detection system is a positive move, other browser vendors will likely face similar attacks unless they proactively adopt stronger vetting mechanisms. The open-source crypto ecosystem must evolve to include integrity verification tools that alert users when codebases are cloned or altered. Without this, even the most cautious users remain vulnerable to silent digital theft.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

šŸ”JOIN OUR CYBER WORLD [ CVE News ā€¢ HackMonitor ā€¢ UndercodeNews ]

šŸ’¬ Whatsapp | šŸ’¬ Telegram

šŸ“¢ Follow UndercodeNews & Stay Tuned:

š• formerly Twitter šŸ¦ | @ Threads | šŸ”— Linkedin

Related posts:

  1. Anupam Mittal’s Fiery IPL Take Sparks Debate on Bat-Ball Imbalance
  2. Instagram Co-Founder Kevin Systrom’s Testimony: A Deep Dive into Meta’s Alleged Buy-or-Bury Strategy
  3. Shein Eyes Major Hong Kong IPO Amid Global Scrutiny and Trade Tensions

Explore More: