Crypto Wallet Extensions Scam Uncovered 40 Fraudulent Firefox Plugins

SlowMist Technology's Chief Information Security Officer, 23pds, announced on July 3rd, 2025, that security firm Koi uncovered over 40 fraudulent cryptocurrency wallet extensions on Firefox's plugin store. These extensions mimic popular wallets such as MetaMask and Coinbase Wallet, exploiting vulnerabilities to steal users' mnemonic phrases through implanted code. The attack is attributed to a Russian-speaking group, highlighting the rising threat to crypto wallet security and the need for more stringent oversight.

These malicious extensions replicate popular wallets to siphon confidential information, sending it back to the attackers. This emphasizes the significance of verifying extension sources to protect mnemonic phrases and funds. Industry professionals and security experts have responded with caution, urging users to install wallet extensions exclusively from verified sources. 23pds reminded the community to beware of malicious wallet extensions and only use verified sources to protect their mnemonic phrases and funds.

This discovery underscores the ongoing threats in the crypto landscape. SlowMist previously identified over $1 million in losses from fake Chrome extensions, pointing to the persistent dangers in the crypto-extension landscape. The incident could spur regulatory scrutiny and security enhancements, as historical precedents and the frequency of similar attacks necessitate greater vigilance. Users are advised to remain cautious and verify the authenticity of any wallet extensions they install to safeguard their assets.