PANews, July 2 news, according to BleepingComputer reports, security company Koi discovered over 40 counterfeit cryptocurrency wallet extensions in the official Firefox browser plugin store, imitating popular wallets such as MetaMask and Coinbase Wallet. These malicious plugins steal input content of more than 30 characters (mainly targeting mnemonic phrases) by embedding event listener code and send the data back to the attackers' servers.
Investigations show that this phishing activity has been ongoing at least since April 2025. The behind-the-scenes group is suspected to be a Russian hacker organization. The malicious plugins not only misuse legitimate brand logos but also enhance their credibility through numerous fake five-star reviews. Although some users have exposed the scam through one-star ratings, the download numbers for most counterfeit plugins remain significantly abnormal. While Firefox has an automated risk detection system, a large number of reported malicious plugins have still not been removed as of the time of publication. Researchers remind users to verify developer information and the authenticity of download numbers when installing wallet extensions.