A large-scale malicious operation has been exposed, involving over 40 Firefox extensions disguised as mainstream crypto wallets (such as MetaMask, Coinbase, Trust Wallet, OKX, Phantom, etc.). These extensions steal user wallet credentials and send them to servers controlled by attackers, while also collecting the victims' IP addresses. The attackers replicate open-source code, fabricate five-star reviews, and impersonate brand appearances to deceive users. This operation has been ongoing since April 2025 and is still active. Technical clues suggest that the attackers may be a Russian-speaking group. Koi Security recommends that users install extensions only from verified publishers, enable whitelist mechanisms, and continuously monitor extension behavior. Browser extensions are becoming an overlooked entry point for security risks.

#Cybersecurity #Firefox #CryptoWallet #KoiSecurity

Source: https://blog.koi.security/foxywallet-40-malicious-firefox-extensions-exposed-4c14419de486