A malware campaign is using malicious Firefox extensions that mimic legitimate cryptocurrency wallets to steal funds from unsuspecting users, according to a new study.

Koi Security found that more than 40 malicious extensions were posing as real wallets as part of the "FoxyWallet" campaign, including Coinbase Wallet, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero.

The attack uses malicious code to extract secrets from wallets and send them to servers controlled by criminals. The code checks inputs with more than 30 characters to filter plausible keys and seed phrases before transmitting the data to the attackers. The victim's external IP address is also sent, allowing tracking or additional attacks.

Koi Security explained that the creators of FoxyWallet "took advantage of the fact that official extensions are open source," adding that "they cloned the original repositories and inserted their own malicious logic, creating extensions that behaved as expected while secretly stealing sensitive data."

A deeper analysis of these extensions suggests the involvement of a Russian-speaking threat actor, with Russian comments found in the code, as well as metadata in a PDF file located on the command and control server.

The campaign appears to have been active since at least April, with new malicious extensions added last week, according to Koi Security. Some fake extensions were still available in the Firefox add-ons store until yesterday, despite the company already reporting its findings to Mozilla through the official reporting tool.

The creator of Firefox, Mozilla, issued a statement on Thursday stating that it is "aware of attempts to exploit the Firefox add-ons ecosystem using malicious extensions for cryptocurrency theft," adding that "through improvements in tools and processes, we have taken steps to quickly identify and remove such add-ons."

The company added that many of the malicious extensions highlighted in Koi Security's report had already been removed by its team before publication, and that it is "in the process of reviewing the few remaining add-ons identified, as part of our ongoing commitment to user protection."

A "game of cat and mouse"

Mozilla pointed to a recent blog post about efforts to address the threat of extensions that steal cryptocurrency, in which add-ons operations manager Andreas Wagner noted that the company has discovered "hundreds" of fraudulent wallets in recent years.

"It's a constant game of cat and mouse," Wagner said, as malware developers try to "outsmart our detection methods."

To avoid falling victim to FoxyWallet or similar scams, users are advised to install extensions only from verified developers, treat extensions as full software, use whitelists to restrict installation to validated extensions, and implement continuous monitoring, not just one-time scans.