Firefox users holding cryptocurrency are under a hacker's attack focus.
In a worrying development for cryptocurrency users, a significant malicious campaign has been discovered by cybersecurity firm Koi Security. The campaign, which has been active since at least April 2025, targets users of popular cryptocurrency wallets and involves over 40 fake Firefox extensions impersonating well-known wallets such as MetaMask, Coinbase, Phantom, Trust Wallet, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.
The campaign began around April 2025 and continues to evolve, with new fake extensions still being uploaded to Mozilla’s Firefox Add-ons store as recently as July 2025. These extensions mimic legitimate wallets by using real logos, branding, and hundreds of fake five-star reviews, creating a false sense of trustworthiness. Many of the fake extensions are trojanized versions of open-source wallet software, meaning they maintain normal wallet functionality while silently stealing sensitive data.
Once installed, the fake extensions steal wallet credentials including private keys and seed phrases without the user’s knowledge. The stolen data is sent to attacker-controlled servers, enabling cybercriminals to immediately access and potentially drain victims’ cryptocurrency wallets. These extensions also collect users’ external IP addresses for tracking or targeting.
Researchers suspect the campaign is operated by a Russian-speaking threat group based on Russian-language comments found in the extension code and metadata retrieved from a PDF file linked to a command and control server used by the attackers.
Mozilla has acknowledged the threat and is collaborating with security researchers to remove identified malicious extensions quickly and improve detection tooling. Users are advised to carefully vet every extension before installation, avoid relying solely on branding or positive reviews, prefer mobile-only wallet solutions, which are harder to impersonate, immediately review and uninstall suspicious Firefox extensions, and rotate wallet credentials if any suspect extension has been installed.
This campaign underscores the need for vigilance and cautious extension management on Firefox browsers. Koi Security's investigation has traced the campaign's shared infrastructure and tactics, techniques, and procedures (TTPs) across the extensions. The attackers make their extensions look trustworthy by copying ratings, reviews, and branding from legitimate extensions. The latest report surfaces months after a potential Russia-linked crypto phishing scam was detected by SlowMist.
[1] Koi Security Blog Post: [URL] [2] BleepingComputer Article: [URL] [3] Mozilla Security Blog Post: [URL] [4] The Block Article: [URL]
- Cybercriminals, using a Russian-speaking threat group, exploited the Firefox browser by constructing over 40 fake extensions that mimicked popular cryptocurrency wallets, including Ethereum Wallet and MetaMask, in a malicious campaign traced by Koi Security.
- The malicious activity, ongoing since at least April 2025, involved stealing sensitive data such as private keys and seed phrases, enabling immediate draining of victims' cryptocurrency wallets with the help of attacker-controlled servers.
- In an attempt to create a false sense of trustworthiness, the attackers mimicked legitimate wallets by using real logos, branding, and fake reviews, underscoring the importance of vigilance and cautious extension management when using blockchain and crypto finance technology on Firefox browsers.
