Cybersecurity researchers have uncovered over 40 malicious browser extensions for Mozilla Firefox that are designed to steal cryptocurrency wallet secrets, putting users’ digital assets at risk.
“These extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox,” Koi Security researcher Yuval Ronen said.
The large-scale campaign is said to have been ongoing since at least April 2025, with new extensions uploaded to the Firefox Add-ons store as recently as last week.
The identified extensions have been found to artificially inflate their popularity, adding hundreds of 5-star reviews that go far beyond the total number of active installations. This strategy is employed to give them an illusion of authenticity, making it seem like they are widely adopted and tricking unsuspecting users into installing them.
Another tactic adopted by the threat actor to bolster trust involves passing off these add-ons as legitimate wallet tools, using the same names and logos.
The fact that some of the actual extensions were open-source allowed the attackers to clone their source code and inject their own malicious functionality to extract wallet keys and seed phrases from targeted websites and exfiltrate them to a remote server. The rogue extensions have also been found to transmit the victims’ external IP addresses.
Unlike typical phishing scams that rely on fake websites or emails, these extensions operate inside the user’s browser—making them far harder to detect or block with traditional endpoint tools.
“This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection,” Ronen said.
The presence of Russian language comments in the source code as well as metadata obtained from a PDF file retrieved from the command-and-control (C2) server used for the activity points to a Russian-speaking threat actor group.
All the identified add-ons with the exception of MyMonero Wallet have since been taken down by Mozilla. Last month, the browser maker said it has developed an “early detection system” to detect and block scam crypto wallet extensions before they gain popularity among users and are used to steal users’ assets by tricking them into entering their credentials.
To mitigate the risk posed by such threats, it’s advised to install extensions only from verified publishers and vet them to ensure that they don’t silently change their behavior post-installation.
