🔹 Over 40 fake extensions impersonating popular crypto wallets discovered

🔹 Attack is ongoing — malicious wallets still active with fake five-star reviews

🔹 Extensions steal seed phrases and track users' IP addresses

Firefox Becomes the Latest Target of Crypto Scams

Security researchers from Koi have uncovered a large-scale campaign targeting Firefox users through fake wallet extensions. These malicious add-ons mimic legitimate crypto wallets but are designed to steal private keys and monitor user activity.

The attack is still active, with several fake wallets remaining available in the official Firefox Add-ons Store. Experts warn that new fake versions continue to appear, often disguised with artificially boosted five-star ratings.

Tricking Casual Users with Familiar Logos

Attackers are targeting casual crypto users who often search for wallets directly through the browser’s extension marketplace. Fake extensions replicate the look and branding of popular wallets and deceive users into entering seed phrases and credentials.

“The attack is simple but highly effective — it preys on users who want quick access to crypto without verifying the source,” warns the SlowMist team.

Top Wallets Faked in the Campaign

Koi identified fake versions of major crypto wallets including:

🔹 MetaMask, Trust Wallet, Coinbase, Phantom, Exodus

🔹 OKX, Keplr, MyMonero, Bitget, Ethereum Wallet, Leap, and more

Over 40 malicious extensions were found, with new ones emerging regularly. Some remain active through unofficial links, and the campaign reportedly began around April 2025.

These extensions send stolen seed phrases and users’ IP addresses to attacker-controlled servers for further use and targeting.

Open-Source Code Reused for Malicious Purposes

Attackers cloned open-source code from legitimate wallets (e.g., MetaMask) and added malicious lines to harvest user data. They mimicked the original UI, logos, and behavior, making the extensions hard to distinguish from the real ones.

While previous scams focused on specific wallets, this campaign targeted multi-asset wallets widely used in DeFi, trading, NFTs, and on-chain tasks.

Russian Origin Suspected

Code analysis revealed Russian language comments, and metadata from one command-and-control server further indicated a Russian threat actor.

How to Stay Safe: Expert Recommendations

🔹 Avoid searching for wallets directly in extension marketplaces

🔹 Only install from official websites or verified sources

🔹 Do not trust five-star reviews — they may be fake

🔹 Use allowlist filters where possible to control installed extensions

Conclusion: Star Ratings Aren’t a Guarantee of Safety

This campaign highlights how attackers can exploit user trust and extension platforms’ verification systems. With fake reviews, authentic-looking design, and legitimate-sounding names, users are more vulnerable than ever.

If you use crypto wallets in Firefox, double-check your installed extensions now and remove anything not verified from an official source.




#CryptoSecurity , #CyberSecurity , #Cryptoscam , #CryptoNews , #CryptoCommunity

Stay one step ahead – follow our profile and stay informed about everything important in the world of cryptocurrencies!

Notice:

,,The information and views presented in this article are intended solely for educational purposes and should not be taken as investment advice in any situation. The content of these pages should not be regarded as financial, investment, or any other form of advice. We caution that investing in cryptocurrencies can be risky and may lead to financial losses.“