Crypto Thieves Target Firefox Users With 40 Fake Extensions

Crypto theft and hacks continue to plague the cryptocurrency sector, with a recent report from Koi Security highlighting a new threat targeting users of the Firefox browser. The report revealed that over 40 Firefox extensions are impostors, masquerading as legitimate crypto wallet extensions. These fake extensions mimic well-known wallets such as MetaMask, Trust Wallet, Phantom, Keplr, and others, making them appear genuine to unsuspecting users.

Cybersecurity researchers have identified a significant threat targeting Firefox users, with over 40 malicious extensions designed to steal cryptocurrency wallet secrets. These fake extensions mimic popular wallets, making them appear legitimate to unsuspecting users. The malicious apps extract and send out wallet credentials to a server controlled by the attackers, also transmitting the user’s IP address for tracking and further targeting. The campaign, which began spreading around April 2025, involves extensions that clone the open-source code of legitimate wallets and inject malicious code to steal data and credentials. The attack is relatively simple but effective, targeting users who seek casual access to cryptocurrency. The fake apps are distributed through the official Firefox app store, making them potentially more misleading and dangerous. Users have already reported losses from these fake applications, highlighting the severity of the threat.

The attack is believed to have originated from Russia, as Russian-language code comments were discovered in some of the apps. Metadata from a file on one of the command-and-control servers also points to a Russian attacker. Security researchers advise users to install an allow list filter and avoid downloading apps without vetting. They also recommend using the wallet’s official web page or social media to download extensions, as searching directly may lead to fake wallets with artificially inflated five-star reviews.

The ongoing campaign poses a significant risk to Firefox users, as the fake extensions continue to spread and evolve. Users are advised to be vigilant and skeptical of apps with too many five-star reviews, as these may be artificially placed to make the app seem established and legitimate. The best approach is to use the wallet’s official web page or social media to ensure the authenticity of the extension. This incident underscores the importance of user caution and the need for enhanced security measures in the cryptocurrency space. As the threat landscape evolves, it is crucial for users to stay informed and adopt best practices to protect their digital assets.