Firefox users are at risk of a dangerous security attack involving malicious wallet extensions propagated by hackers to trick users into downloading and using extensions similar to those of top crypto wallets.
Koi, a security company, has discovered that the campaign remains in use; this campaign employs fake browser add-ons to steal sensitive details, including recovery phrases, thus causing the total loss of assets.
The extensions can be found on the official add-on site Firefox, which makes the counterfeit applications seem genuine, thereby augmenting the danger. Even after some of the malicious listings were removed, a few others are still active, thereby presenting a threat to naive users. Losses among the victims have already been reported, and specialists say that the attack is not yet over.
SlowMist TI AlertA massive malicious campaign involving dozens of fake #Firefox extensions designed to steal cryptocurrency wallet credentials is underway. Over 40 fake extensions impersonating trusted #wallets like MetaMask, Coinbase Wallet, Trust Wallet, Phantom, OKX,… pic.twitter.com/IIfE5ifxJi
— SlowMist (@SlowMist_Team) July 3, 2025
Fake Wallet extensions disguised as legitimate apps
Victims of the malicious campaign are among the most popular ones, including MetaMask, Trust Wallet, Coinbase, Phantom, Exodus, Keplr, OKX, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. There are currently over 40 detected fake extensions with more still being introduced using the unofficial distribution channels.
Such fake wallets will steal credentials because they will be presented to resemble real apps in every detail. Genuine open-source code in real wallets has been carried out by attackers who have added malicious capabilities that will transmit secret keys and other user data to servers under their administration. The extensions also obtain the IP addresses of the users so that they can be exploited along with their wallet information.
The earliest infection started in April 2025. As Koi discovered, the extensions are still available to users who look at the wallets themselves. Users can find fake applications with artificially increased five-star ratings. Such a fraudulent rating scheme gives these malicious extensions the appearance of being reputable and old.
Security flaws found in open-source clones
The attack is easy to perform because it involves cloning open-source wallet compilations. Fraudsters clone the appearance and usability of genuine wallets and hide malicious code in them. These adjustments enable the app to steal user information as usual.
In some instances, applications do not indicate any signs of mischievous intent but possibly insert dangerous functionalities when updated. The move makes it more likely to go unnoticed during the more extended periods. The code comments in Russian and metadata stored in command-and-control servers indicate that the undertaking is probably associated with Russian-speaking threat actors.
Both Koi and SlowMist have also highlighted the advantages of how these pretentious programs slip through security and into official app stores. With the increasing popularity of digital assets, these strategies are standard and succeeding more, particularly targeting the opportunistic users intending to gain fast access to DeFi, NFT, or exchange platforms.
Recommendations for user protection
The security researchers highly recommend applying allow-list filtering and using only wallets by verified providers. Downloading browser extensions by directly searching for them increases the chances of being a victim of these scams. Instead, users are advised to visit the official sites of wallet providers or their social media profiles to get the secure links.
Another warning to users is to beware of review-bombed apps that might contain too many five-star ratings. Those are not real and are aimed at creating an artificial reputation. One has to be extra careful and ensure that the genuineness of all wallet extensions is achieved at all costs to prevent monetary loss.
The post Malicious Crypto wallet extensions spread among Firefox users first appeared on Coinfea.
