Warning! Hackers are stealing cryptocurrency through counterfeit browser extension applications, with Russian organizations possibly being the masterminds of the attacks.
Recently, cybersecurity company Koi Security revealed a large-scale malicious attack targeting cryptocurrency users, where attackers implemented theft by counterfeiting more than 40 mainstream cryptocurrency wallet Firefox extensions.
These counterfeit extensions closely mimic the interfaces and functionalities of well-known products such as MetaMask, Coinbase Wallet, Trust Wallet, etc., even creating false reputations through fake reviews, disguising themselves as trusted plugins in the Mozilla add-ons section. Furthermore, this attack is continuously evolving, with the latest batch of malicious extensions still being uploaded last week, highlighting the attackers' high adaptability.
Technical analysis shows that these malicious extensions reduce user suspicion by cloning legitimate open-source wallet codebases and retaining core functionalities, while also implanting malicious modules to steal mnemonic phrases and private keys. Additionally, the extensions silently collect metadata such as user IP addresses at the time of installation for precise targeting.
Koi Security confirmed that this is a systematic attack against cryptocurrency holders by tracking the infrastructure and TTP (Tactics, Techniques, and Procedures) and urged users to immediately inspect suspicious extensions and rotate wallet credentials.
The Russian clues discovered during the investigation are particularly noteworthy. Security personnel found Russian comments in the malicious code and extracted Russian metadata from PDF files stored on the attackers' servers.
This is similar to a situation disclosed months ago by another security company, SlowMist, when hackers used a fake Zoom meeting to steal millions of dollars in cryptocurrency; Russian scripts were also present in the attack tools. Although there is no clear evidence, it is possible that a criminal organization with a Russian background is orchestrating these transnational cybercrime activities.
Currently, Koi Security is collaborating with Mozilla to take down the identified malicious extensions. However, this attack, which has continued for several months, exposes serious security risks in the browser plugin ecosystem: attackers can not only easily impersonate well-known products but also exploit platform review loopholes to remain hidden for an extended period.
For cryptocurrency users, merely relying on the review mechanisms of official app stores is insufficient to ensure the security of wallet assets. It is essential to develop security habits such as manually verifying extension signatures and being vigilant about permission requests.
