Researchers from the Koi security company discovered an ongoing campaign spreading malicious wallet extensions on Firefox. The malicious apps spoof the most widely used wallets, stealing private phrases and leaving users vulnerable to being drained.
An ongoing campaign is spreading malicious extensions, spoofing some of the most common crypto wallets on Firefox. Koi security discovered some of the apps were removed, while others were still active, posing as legitimate wallets.
The SlowMist attack team also warned users to be vigilant, as the attack is still active. The fake apps are spreading through the official Firefox app store, making them potentially more misleading and dangerous.
🚨SlowMist TI Alert🚨
A massive malicious campaign involving dozens of fake #Firefox extensions designed to steal cryptocurrency wallet credentials is underway. Over 40 fake extensions impersonating trusted #wallets like MetaMask, Coinbase Wallet, Trust Wallet, Phantom, OKX,… pic.twitter.com/IIfE5ifxJi
— SlowMist (@SlowMist_Team) July 3, 2025
The attack is relatively simple, but targets the easiest type of user, who seek casual access to crypto. Using a compromised app, or inputting private phrases into one may lead to significant losses. Users are already reporting losses from the fake apps.
Hacks and exploits accelerated in the first half of 2025, as crypto increased in value. Threats also came from DPRK hackers infiltrating projects, with hundreds potentially affected by malicious code.
Firefox fake extensions target the most widely used wallets
Koi intercepted fake apps for some of the most widely used wallet extensions, including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.
The researchers discovered over 40 apps posing as wallets, with new ones appearing. Some of the fake wallets are still active on unofficial links. According to researchers, the fake apps started spreading around April 2025.