Home ReportOver 40 Malicious Firefox Add-ons Are Targeting Crypto Wallets – Here’s What You Need to Know

Over 40 Malicious Firefox Add-ons Are Targeting Crypto Wallets – Here’s What You Need to Know

by Isabella García
written by Isabella García 0 comments 4 mins read

Cybersecurity researchers have uncovered a massive phishing campaign targeting cryptocurrency users through over 40 fake Firefox extensions. These malicious add-ons are disguised as official wallet tools from well-known platforms such as Coinbase, MetaMask, Trust Wallet, and others.

According to a detailed report from Koi Security, the campaign is not only extensive but actively ongoing, with new malicious extensions being uploaded as recently as last week. The fake extensions are designed to steal users’ private wallet credentials, potentially leading to complete asset loss.

Trusted Names Imitated to Trick Users

The fraudulent extensions impersonate a range of popular crypto wallets and platforms, including but not limited to:

  • MetaMask

  • Coinbase

  • Phantom

  • Exodus

  • OKX

  • Trust Wallet

  • Keplr

  • MyMonero

  • Bitget

  • Ethereum Wallet

  • Leap

  • Filfox

Once installed, these deceptive add-ons silently extract sensitive data from the user’s crypto wallet, putting their funds at immediate risk.

The Campaign Is Active and Evolving

Koi Security confirms that the campaign has been in operation since at least April 2025, and it’s still ongoing. Despite being reported, some of the fake extensions remain available on the Firefox Add-ons store.

The threat remains active, persistent, and continues to evolve,” the report notes.

The attackers appear to be leveraging fake reviews and ratings to gain the trust of unsuspecting users. Many of these malicious add-ons feature hundreds of fake five-star ratings, making them appear credible at first glance.

Russian Links Suspected Behind the Operation

In a striking detail, the report highlights signs pointing to a Russian-speaking threat actor. Analysts discovered Russian-language code comments in the metadata and identified PDF files hosted on command-and-control (C2) servers associated with the campaign.

While attribution remains uncertain, these findings strongly suggest that the operation may originate from a Russian cybercriminal group.

Stay Safe: What You Should Do

  • Only install extensions from verified sources.

  • Avoid browser add-ons that mimic well-known crypto wallets unless directly linked from the official website.

  • Regularly monitor your wallet activity for unauthorized access.

  • Report suspicious Firefox extensions immediately.

Crypto users are urged to remain vigilant, as cybercriminals continue to refine their techniques. The rise in malicious browser tools underscores the importance of digital hygiene and critical evaluation of browser extensions.

Isabella García holds a Bachelor's degree in International Finance and Digital Economy from the University of Oslo in Norway. García has written for several leading platforms providing news and analysis on the cryptocurrency space. Isabella García continues to make valuable contributions to the cryptocurrency world with her financial analysis and news reporting skills.

You may also like

Metaplanet Makes Waves with $238M Bitcoin Buy, Edges Toward Top 4 Corporate Holders

The Blockchain Group Accelerates Toward BTC Dominance with New €11M Investment and 1,349% YTD...

Russia Tightens Grip on Illegal Crypto Mining with National Equipment Registry

UK’s Smarter Web Company Achieves 1,000 BTC Milestone in Ambitious Crypto Treasury Plan

Elon Musk’s ‘America Party’ Embraces Bitcoin in Bid to Disrupt U.S. Political System

NFT Sales Surge Past $136M as Bitcoin and Ethereum Rally Drives Momentum