Nazia Saeed
- Over 40 malicious Firefox extensions mimic major crypto wallets to steal user credentials
- Attackers clone open-source code to inject malware while maintaining trust signals
- Russian-speaking threat actor suspected behind ongoing phishing operation
An ongoing phishing campaign has been uncovered that uses fake Firefox browser extensions to steal cryptocurrency wallet credentials, cybersecurity firm Koi Security revealed in a report published Wednesday. The campaign impersonates dozens of popular crypto wallet services and has reportedly been active since at least April.
Koi Security identified over 40 fake Firefox extensions tied to the scheme. These malicious add-ons mimic widely used crypto wallets such as MetaMask, Coinbase Wallet, Trust Wallet, Phantom, Exodus, OKX, MyMonero, and Bitget. Once installed, the extensions secretly extract wallet credentials from users and transmit the data to a remote server controlled by the attacker.
Malware uses deceptive design to evade detection
The report details how the attackers use deception to earn users’ trust. The fake extensions closely replicate the branding, names, and logos of legitimate services. Some even boasted hundreds of fake five-star reviews to appear authentic in Mozilla’s extension marketplace.
Newsletter
Get weekly updates on the newest crypto stories, case studies and tips right in your mailbox.
In many cases, the malicious extensions were built using open-source code from the official wallets they impersonated. The cloned applications were then modified with malicious scripts to siphon credentials, all while maintaining the look, feel, and core functionality of the originals.
This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection.
Signs point to Russian-speaking threat actor
While the attribution remains inconclusive, Koi Security reported evidence suggesting the campaign may be linked to a Russian-speaking cybercriminal group. Indicators include Russian-language code comments and metadata found in a PDF retrieved from a malware command-and-control (C2) server tied to the incident.
Multiple signals point to a Russian-speaking threat actor, though it stopped short of assigning blame to a specific group or entity. The firm emphasized that the attribution is tentative, pending further investigation.
Cybercriminal operations originating from Eastern Europe have been previously tied to large-scale phishing and malware campaigns in the crypto space, making this attribution plausible, if not definitive.
Koi security urges stronger extension hygiene
To mitigate the risks, Koi Security advised users to treat browser extensions with the same caution as any standalone software. Users are urged to only install extensions from verified publishers, employ whitelisting policies, and actively monitor for unexpected behavior or updates.
The report adds to growing concerns over the vulnerabilities in browser-based crypto tools, particularly as bad actors continue to exploit user trust and the open-source nature of many wallet applications.
Mozilla has not yet commented on the takedown status of the malicious extensions.
