According to cybersecurity firm Koi Security, a large-scale credential theft operation targeting cryptocurrency investors is spreading, with over 40 malicious extensions impersonating well-known wallets listed on Firefox, specifically targeting unsuspecting users to secretly steal wallet credentials and misappropriate assets.
The Koi Security report notes that these malicious extensions disguise themselves as mainstream wallets like Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox, attempting to pass off as legitimate. Once users install them, the hidden malicious programs quietly collect sensitive information such as wallet private keys and seed phrases, exposing wallet assets to attackers and even collecting the victims' external IP addresses, thereby increasing the risk of irrecoverable asset loss.
Even more chilling is that these fake extensions can be listed on the official Firefox store for anyone to download freely, and to create the illusion of being 'official products', they even artificially inflate 5-star ratings, making it hard for users to discern the truth and luring unsuspecting users into traps.
Koi Security indicates that this attack campaign has been ongoing since at least April of this year, with new versions of malicious extensions continuously being released.
The report further states that multiple malicious extension codes contain numerous Russian comments, and the PDF files hosted on the command and control (C2) servers also include Russian metadata, indicating that this attack is likely related to a Russian hacker group.
Block客 reminds readers not to blindly trust user reviews on extensions, software, or apps, and to carefully verify developer information, check download volumes, and regularly review the extensions in their browser to confirm if there are any unknown or suspicious programs lurking.
Additionally, if there are any signs of suspected leakage of private keys or seed phrases, assets should be immediately transferred and a new wallet address created to avoid further losses.
"Fake wallets rampant on Firefox! Over 40 malicious extensions lurking, targeting cryptocurrency users to steal private keys" was first published on (Block客).
