12 Brands, 40 Fakes, 1 Year of Deception: Anatomy of a Crypto Heist in Firefox
They look real — but work for those robbing you.
They look real — but work for those robbing you.
Security experts at Koi Security have uncovered over 40 malicious browser extensions for Mozilla Firefox, specifically designed to steal data from cryptocurrency wallets. These add-ons pose a serious threat to the safety of users' digital assets.
The attackers disguised their malicious extensions as official tools of popular crypto wallets. Among the impersonated services were Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. Visually, the extensions appeared authentic — using the same logos and names.
The campaign to spread these fake extensions has been active since at least April 2025. New versions were uploaded to the official Firefox Add-ons Store as recently as last week.
To create the illusion of legitimacy, the attackers flooded the store with fake 5-star reviews, far exceeding the number of actual installs. This gave the extensions a false sense of community trust and popularity.
Another layer of deception came from the use of open-source code from the real wallet extensions. This allowed attackers to replicate genuine functionality while secretly embedding malicious code. As a result, the extensions worked and looked like the originals — but contained hidden mechanisms to steal sensitive data.
The malware was capable of intercepting private keys and seed phrases entered by users on target websites. Additionally, it transmitted the victims' IP addresses to a remote server.
Unlike traditional scams based on phishing websites or fake emails, these extensions operate within the browser itself. This makes them especially dangerous, as standard protection tools are less effective at detecting them.
Mozilla has since removed all identified malicious extensions, except one — MyMonero Wallet, which remains available in the store. The company has also announced the development of an early detection system aimed at blocking malicious wallet extensions before they gain traction and begin stealing assets.
In a related note, the PT SWARM team from Positive Technologies recently patched CVE-2025-6430 — a Firefox vulnerability that allowed attackers to bypass secure download mechanisms. The flaw was caused by incorrect interpretation of the Content-Disposition header, which defines how browsers handle downloaded files.
To reduce the risk of installing fake extensions, experts recommend only downloading add-ons from verified developers and closely monitoring their behavior for any suspicious activity or changes.
