Crypto

Are Your Funds at Risk from Over 40 Fraudulent Crypto Wallet Extensions on Firefox?

Photo of Emma Horvath Emma Horvath Send an email July 4, 2025
0 59 2 minutes read

Comprehensive Analysis: The Threat of Fraudulent Firefox Extensions in the Crypto Space

Our editorial content is rigorously vetted by prominent industry authorities and experienced editors. This transparency is integral to maintaining trust with our audience.

Emerging Threat: Fake Firefox Extensions Targeting Cryptocurrency Users

A recent investigation by the cybersecurity experts at Koi Security has uncovered a significant scheme involving counterfeit Firefox browser extensions. These deceptive add-ons are designed to pilfer cryptocurrency wallet credentials from unsuspecting users. The research identified over 40 extensions mimicking well-known crypto wallet tools, enabling cybercriminals to harvest sensitive data from users.

Advertisement Banner

These malicious extensions closely resemble legitimate applications associated with popular platforms such as MetaMask, Coinbase, Phantom, Trust Wallet, Exodus, OKX, and several others. This mirroring of authentic tools is a sophisticated tactic to fool even the most cautious users.

An In-depth Look at the Fraudulent Wallet Extensions

The campaign, which remains active, was first identified as early as April 2025. Koi Security’s findings, released on a recent Wednesday, confirmed that these fraudulent extensions had been uploaded to the Firefox Add-ons store as recently as last week. Alarmingly, some of these extensions were still accessible at the time of the report, posing ongoing risks to users’ private keys and wallet data.

Once installed, these extensions clandestinely collect sensitive credentials, creating vulnerabilities that hackers can exploit to access assets across multiple blockchain networks. Security experts warn that the operation is particularly menacing due to its prolonged duration, stealth, and technical prowess. The continuous uploading of new extensions indicates that the campaign is not only active but also evolving to bypass detection.

By imitating widely-used wallets and evading browser review processes, the perpetrators of this scheme employ both social engineering and technical deception to target cryptocurrency enthusiasts.

Deceptive Tactics, Attribution, and the Broader Impact on Crypto Security

To lend credibility to their counterfeit extensions, the perpetrators have padded them with numerous five-star ratings and favorable reviews. These misleading endorsements likely convinced users to download the extensions without any suspicion. Additionally, the design, branding, and naming conventions of these extensions closely mirror those of official wallet providers, adding a further layer of deceit.

Koi Security researchers have discovered several technical indicators hinting at a possible involvement of a Russian-speaking group in this campaign. Analysis of the extensions revealed Russian-language comments embedded in the code, and documents related to the command-and-control infrastructure contained Russian metadata. Although these clues are not definitive, they align with tactics observed in previous threat actor campaigns originating from Eastern Europe. The report states, “While not conclusive, these artifacts suggest that the campaign may originate from a Russian-speaking threat actor group.”

The scale and persistence of this operation suggest an organized effort rather than a one-off exploit. Koi Security underscores that this tactic could potentially expand to target other browsers and cryptocurrency platforms in the future.

To mitigate risks, the report advises users to refrain from downloading browser extensions that are not recommended by official wallet providers. It also suggests verifying developer information on add-on pages and scrutinizing the permissions requested by extensions. Users should promptly uninstall any tool they did not intentionally install or no longer recognize.

Upholding Editorial Integrity

The editorial process at Bitcoinist is dedicated to delivering thoroughly researched, accurate, and unbiased content. We adhere to strict sourcing standards, and each piece undergoes meticulous review by our team of top technology experts and seasoned editors. This rigorous process ensures that our content remains trustworthy, relevant, and valuable to our readers.

Photo of Emma Horvath Emma Horvath Send an email July 4, 2025
0 59 2 minutes read
Photo of Emma Horvath

Emma Horvath

After graduating Communication and Media Studies MA in Eötvös Loránd University, Emma started to realize that her childhood dream as a creative news reporter committed to find dynamic journalism stories. I'm a passionate journalist with a keen interest in the fast-evolving world of cryptocurrencies. I've been reporting on the latest developments in the crypto industry for several years now, covering breaking news and providing insights on how the market is trending. I'm adept at analyzing daily market movements, researching ICOs, and keeping track of the latest innovations in blockchain technology. My expertise in the space makes her a trusted voice in the crypto community. Whether it's the latest Bitcoin price movements or the launch of a new DeFi platform, I am always at the forefront, bringing her readers the most up-to-date and informative news.

Related Articles

BlockDAG Leads with New 5-Level Bonus System Amid Solana’s Slump & Stellar’s Surge—Signs of Imminent Major Listings?

December 2, 2024

BlockDAG Locks in 5 CEX Listings Ahead of GO LIVE Reveal – $0.0020 Entry Ends June 13

May 15, 2025

BlockDAG Offers 5-Tier Rewards for Buyers—A Look at Litecoin Forecasts & Ethereum’s Market Dynamics

December 2, 2024

Unlock Major Gains with 5 Top Crypto Coins for 2025—Here’s Why BlockDAG, TRX, AVAX, LINK & XLM Have Made the Cut!

January 11, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button