A large-scale malicious campaign has been uncovered involving over 40 fake Firefox extensions impersonating popular crypto wallets such as MetaMask, Coinbase, Trust Wallet, OKX, and Phantom. These extensions steal user credentials and transmit them to attacker-controlled servers, also collecting victims’ IP addresses for tracking. The attackers cloned open-source code, inflated fake 5-star reviews, and copied branding to deceive users. The operation has been active since April 2025 and is still ongoing. Technical indicators suggest the threat actor may be Russian-speaking. Koi Security advises users to only install extensions from verified publishers, implement allowlists, and continuously monitor extension behavior — highlighting the growing threat of browser extensions as a neglected attack vector.

#Cybersecurity #Firefox #CryptoWallet #KoiSecurity

Source: https://blog.koi.security/foxywallet-40-malicious-firefox-extensions-exposed-4c14419de486