Ongoing Crypto Theft Campaign Targets Firefox Users with Malicious Wallet Extensions

A widespread cybercriminal campaign is actively targeting Mozilla Firefox users with more than 40 fake browser extensions designed to steal cryptocurrency wallet credentials, with the most recent extensions being uploaded just last week.

According to a report released by cybersecurity firm Koi Security, these malicious add-ons often deploy the tactic of impersonating popular crypto wallets such as Coinbase, MetaMask, Trust Wallet to trick unsuspecting victims.

The attackers have employed a range of sophisticated tactics to deceive users and avoid detection.

Many of these fake extensions use fabricated five-star reviews, with one application possessing hundreds of fake five-star reviews.

The fake extensions also frequently use identical names and logos as the real service they were trying to mimic.

This creates an illusion of authenticity and widespread adoption, increasing the likelihood that unsuspecting users will install the malicious software.

In some cases, the threat actors have cloned the open-source codebases of genuine wallet extensions, adding their own malicious code to exfiltrate sensitive data.

"This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection."

Once installed, these extensions extract wallet credentials directly from targeted websites and transmit them to remote servers controlled by the attackers.

Evidence Points to Russian-Speaking Threat Actors

Koi Security’s investigation suggests that the campaign showed multiple signs that it could somehow be linked to Russian-speaking threat actors.

One of these signs was the use of Russian-language comments embedded in the malicious code, as well as metadata in files retrieved from the attackers’ command-and-control servers.

"While not conclusive, these artifacts suggest that the campaign may originate from a Russian-speaking threat actor group."

To mitigate the risk of credential theft, Koi Security strongly advises users to install browser extensions only from verified publishers.

The firm also recommends treating all extensions as full software assets, maintaining strict allowlists, and regularly monitoring for unexpected behavior or unauthorized updates.