Over 40 fake Firefox add-ons impersonating major crypto wallets linked to active credential theft campaign: report

Security researchers have identified an extensive cybercriminal operation using dozens of fraudulent Firefox browser extensions to steal cryptocurrency wallet credentials from users. In a report released Wednesday, Koi Security warned that the sophisticated scheme involves over 40 malicious extensions that pose as legitimate wallet applications from popular cryptocurrency platforms. Specifically, the fake extensions impersonated legitimate tools from major crypto services such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. After users install these counterfeit extensions, they would secretly collect sensitive wallet information, potentially exposing victims' crypto assets to theft.The attack is "ongoing and very much alive," with some extensions still available, the report said. "We can confirm that the campaign has been active since at least April 2025," the report added. "New malicious extensions were uploaded to Firefox Add-ons store as recent as last week. The ongoing nature of the uploads suggests that the operation is still active, persistent, and evolving."In an attempt to gain trust from users, these fake extensions leveraged mechanisms such as ratings and reviews, with many of them having hundreds of fake five-star reviews, according to the report.Koi Security also pointed out that there are signs pointing to a Russian-speaking threat actor, including Russian-language code comments within the malicious extensions and metadata recovered from PDF files hosted on command-and-control servers used in the operation. "While not conclusive, these artifacts suggest that the campaign may originate from a Russian-speaking threat actor group," the report said.The Block has reached out to Mozilla, the organization behind Firefox, for comment.Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.