Software supply chain security firm Koi Security has identified an ongoing large-scale malicious campaign involving numerous counterfeit Firefox browser extensions designed to capture cryptocurrency wallet credentials. These extensions mimic legitimate tools associated with well-known platforms, including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.
Once installed, the extensions covertly extract sensitive wallet information, posing a significant threat to user assets. The investigation has so far linked over 40 distinct extensions to the same campaign, which remains active. Some of these extensions are still available through official distribution channels. The identification of the campaign was made possible by analyzing common tactics, techniques, procedures (TTPs), and shared infrastructure.
Evidence indicates that the operation has been underway since at least April 2025, with new malicious uploads to the Firefox Add-ons store observed as recently as the previous week. The continuous appearance of these extensions points to a persistent and evolving threat. The malware targets users by harvesting wallet credentials directly from specified websites and transmitting them to a remote server operated by the attacker. Additionally, the extensions send the victim’s external IP address during the initial execution phase, likely for tracking or targeting purposes.
Malicious Firefox Extensions Mimic Trusted Wallet Tools And Inflate Reviews To Evade Detection And Boost Installs
This campaign exploits standard trust signals commonly found on browser extension marketplaces—such as user ratings, reviews, familiar branding, and functional performance—to build credibility and increase download rates. A notable strategy involved artificially boosting review scores; many of the malicious extensions featured an unusually high volume of five-star reviews, inconsistent with their actual user base. This creates the appearance of widespread approval and reliability, which can influence user decisions on platforms like the Mozilla Add-ons store.
The attacker also replicated the visual branding of legitimate wallet tools, including exact names and logos, making the counterfeit versions difficult to distinguish from the authentic ones. This approach raises the likelihood of unintentional downloads by users seeking the real service. In multiple instances, the actor utilized open-source versions of official extensions, duplicating the legitimate code and integrating malicious components. As a result, the extensions retained expected functionality while quietly exfiltrating sensitive data, enabling the campaign to achieve impact with relatively minimal development effort and reduced initial detection risk.
Indicators Link Malicious Campaign To Russian-Speaking Threat Actor, Experts Urge Stricter Extension Security Measures
Although definitive attribution has not been established, several indicators suggest involvement by a Russian-speaking threat actor. These include Russian-language comments identified within the extension code and metadata extracted from a PDF document hosted on a command-and-control server associated with the campaign. While these elements are not conclusive, they collectively imply a possible origin linked to a Russian-speaking group.
Best practices in response to this activity include installing extensions exclusively from verified sources and remaining cautious even when extensions have high ratings. Browser extensions should be treated as full software components, requiring appropriate vetting, policy controls, and ongoing oversight. Organizations are advised to implement extension allowlists, limiting installations to pre-approved and validated tools, and to adopt continuous monitoring strategies, as extensions can auto-update and alter behavior after deployment without user awareness.
The post FoxyWallet Campaign Exposes Over 40 Malicious Firefox Extensions Targeting Crypto Users appeared first on Metaverse Post.
