Cyber experts have discovered more than 40 malicious browser add-ons for Mozilla Firefox, specifically engineered to steal private keys and seed phrases from cryptocurrency wallets, putting users’ funds at serious risk.
Yuval Ronen from Koi Security conveys that these fake extensions pose as legitimate wallet tools from well-known services including Coinbase, MetaMask, Phantom, Trust Wallet, OKX, Exodus, Keplr, Bitget, Leap, Ethereum Wallet, MyMonero, and Filfox.
Since April 2025, the campaign has reportedly been active, with new extensions still being uploaded to Firefox’s Add-ons store as recently as last week.
To appear more trustworthy, the attackers inflated the extensions’ ratings, giving users the impression they were well-established. Most also borrowed branding—like names and icons—from actual crypto wallets, which made them harder to spot as fakes.
Because several of the original wallet extensions are open-source, the attackers were able to copy the legitimate codebase and quietly insert malicious code that steals sensitive wallet data and sends it to an external server. In some cases, they also captured victims’ IP addresses.
These browser-based threats don’t depend on fake websites or scam emails—instead, they work from inside the browser, slipping past many traditional security defenses.
“This method required very little effort but had significant impact, allowing the fake extensions to behave as expected while secretly harvesting credentials,” Ronen explained.
Clues found in the source code—such as comments written in Russian—and PDF metadata pulled from the attackers’ command-and-control server suggest the group may be Russian-speaking.
Mozilla has removed nearly all of the flagged add-ons from its store, except for one tied to MyMonero. The company said it’s developing a system to spot and block questionable crypto-related add-ons before they’re able to do damage.
In the meantime, users should be cautious—only install from known sources and watch for any sudden changes in how extensions behave.
