Warnings Issued for Over 40 Deceptive Crypto Wallet Add-ons on Firefox, Possible Threat to Your Digital Assets?
A recent cybersecurity threat has come to light, involving a large-scale scam that has been targeting Firefox users and their cryptocurrency wallets. Over 40 malicious browser extensions, designed to mimic popular wallet tools such as Coinbase, MetaMask, and Trust Wallet, have been discovered, tricking users into compromising their digital assets.
### Behind the Scam
The attribution of the campaign is tentative, with signs suggesting that a Russian-speaking threat actor group may be behind it. The group has been active since at least April 2025 and continues to evolve, with new extensions being uploaded to the Firefox Add-ons store as recently as last week.
### How the Scam Operates
The malicious extensions use identical names and logos to impersonate legitimate wallet tools, creating a false sense of trust among users. The attackers artificially inflate the extensions' popularity by adding hundreds of fake 5-star reviews, making them appear widely adopted. In cases where legitimate extensions are open-source, the attackers clone the codebase and insert malicious logic to extract wallet keys and seed phrases. Once installed, the extensions steal sensitive wallet credentials and transmit them to attacker-controlled remote servers.
### Protecting Yourself
To protect themselves, users are advised to ensure that any extension they install is from a trusted source and has genuine reviews. They should be cautious of extensions with an unusually high number of reviews despite low installation numbers. Keeping Firefox and its extensions updated is also crucial to ensure any patches for known vulnerabilities are applied. Using strong security measures such as a VPN, enabling two-factor authentication (2FA) for wallets, and keeping software up to date can help minimize exposure. If an extension is suspected to be malicious, it should be reported to Mozilla immediately.
### The Threat Remains
This isn't a one-off exploit but an evolving tactic that could target other browsers and crypto platforms in the future. The actors behind this effort are leveraging both social engineering and technical spoofing to target crypto users. Users are encouraged to double-check developer information on add-on pages and inspect permissions requested by extensions before installing them.
The scale and persistence of the operation point to an organized effort. The report recommends avoiding downloading browser extensions outside of official wallet provider recommendations. Clues suggest a potential Russian-speaking group behind the campaign, although they are not definitive. A cybersecurity firm named Koi Security has revealed this large-scale campaign involving fake Firefox browser extensions designed to steal crypto wallet credentials. Users are also encouraged to remove any tool they did not explicitly install or no longer recognize.
- The large-scale campaign uncovered by cybersecurity firm Koi Security, which targets Firefox users and their cryptocurrency wallets, involves malicious browser extensions built on blockchain technology, posing a threat to crypto security.
- In this ongoing cybersecurity issue, the attackers not only use identical names and logos of popular wallet tools to create a false sense of security but also manipulate reviews to increase their extensions' popularity, placing a greater emphasis on cybersecurity measures for protecting digital assets and implementing technology such as VPNs, 2FA, and updated software.
