Cybersecurity firm Koi Security uncovered a major malware campaign that exploits Mozilla Firefox browser extensions to steal cryptocurrency wallet credentials. According to the report released on Wednesday, threat actors deployed over 40 fake browser extensions that impersonated popular crypto wallet tools. These malicious extensions target users of Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, MyMonero, Bitget, and others.
Koi Security tied these extensions to an ongoing phishing and credential-harvesting operation. This campaign first surfaced in April 2025, and cybercriminals have continued to upload new malicious add-ons as recently as last week. The attackers lure unsuspecting users by mimicking legitimate browser extensions in branding, functionality, and user experience.
Attackers Mimic Trusted Wallets to Steal Credentials
Threat actors built these fake extensions to harvest sensitive data. Once installed, they extract wallet credentials directly from websites that users visit. The extensions then upload the stolen data to remote servers controlled by the attackers.
Koi Security’s analysts observed that the fake extensions copied official branding of real wallets. They used identical names, icons, and logos to create a deceptive appearance. To strengthen their disguise, the attackers also cloned open-source code from legitimate wallet providers. They inserted malicious functions into the cloned extensions without disrupting user functionality.
By preserving the look and feel of the real wallets, the malicious extensions reduced suspicion and maintained a smooth user experience. This low-effort but high-impact method allowed attackers to bypass early detection tools and avoid immediate scrutiny from end users.
Attackers Exploit Ratings and Reviews for Legitimacy
The cybercriminals didn’t rely on code alone. They infiltrated Firefox’s extension store with sophisticated social engineering. Koi Security discovered that many of the fake extensions featured dozens or even hundreds of fake five-star reviews. These reviews boosted the extensions’ credibility and visibility on the Firefox Add-ons platform.
In some cases, attackers used bot accounts to post identical reviews. They praised performance, ease of use, and claimed seamless wallet integration. The high review scores influenced users into believing the extensions came from trusted publishers.
Additionally, the attackers manipulated metadata and extension descriptions to mirror those of legitimate tools. By plagiarizing real documentation, they further disguised their software as genuine.
Active Since April 2025, the Campaign Still Continues
Koi Security traced the malware campaign back to April 2025. The group consistently uploaded new versions of malicious extensions every few weeks. Despite ongoing efforts by browser platforms and security researchers, the attackers continued to find new ways to bypass moderation.
As of early July, the campaign remains active. Some malicious extensions stayed live for days or even weeks, accumulating downloads before security teams took them down. Koi Security labeled this a sign of “ongoing and adaptive” behavior by the threat actors.
The firm emphasized that the campaign’s modular structure allows for fast redeployment. When one extension gets flagged or removed, the attackers quickly relaunch with modified code or under a new developer name. This persistence demonstrates a clear intent to operate long-term and maximize data theft.
Researchers Uncover Clues Pointing to Russian-Speaking Actor
While attribution remains inconclusive, Koi Security highlighted multiple indicators that point toward a Russian-speaking threat actor. Analysts identified Russian-language comments embedded in the JavaScript code used within several extensions. They also found metadata written in Russian inside a PDF file recovered from one of the malware’s command-and-control servers.
These linguistic clues suggest that a Russian-based or Russian-speaking group may operate the campaign. However, Koi Security refrained from making definitive claims about the actor’s origin. The firm warned that attackers often plant false indicators to mislead investigators, a tactic known as “false flagging.”
Despite these cautions, the evidence aligns with known behavior of Eastern European cybercriminal groups, many of whom have carried out cryptocurrency-related phishing operations in the past.
Impact on the Crypto Community
The malicious Firefox extensions pose a serious threat to cryptocurrency users. Digital wallets contain access to assets worth thousands—or even millions—of dollars. Once attackers steal private keys or recovery phrases, they can drain entire portfolios instantly.
Unlike traditional banking, crypto transactions remain irreversible and anonymous. Victims of wallet theft often lack avenues for recourse. Attackers transfer stolen funds through decentralized exchanges, privacy coins, or tumblers, making recovery nearly impossible.
Koi Security warned that the campaign likely resulted in undisclosed financial losses. Victims may not even realize that extensions triggered the compromise. Many users attribute wallet losses to phishing links or malware infections without suspecting browser plugins.
Mozilla Faces Pressure to Strengthen Extension Vetting
The discovery of over 40 malicious add-ons places Mozilla under scrutiny. As the platform host for Firefox extensions, Mozilla bears responsibility for vetting and reviewing submissions. Security researchers and industry leaders called for stricter moderation policies, especially around extensions handling sensitive data.
Koi Security recommended that Mozilla enforce developer verification, prioritize reviews for crypto-related tools, and deploy automated scanners to detect code injection or credential harvesting routines. While Mozilla already offers security review options for extensions, attackers appear to have bypassed current checks through clever manipulation.
The incident underscores a broader issue affecting browser ecosystems: third-party extensions remain a major attack vector. Without proactive detection systems, users will continue to fall prey to fraudulent plugins.
Koi Security Offers Recommendations for Protection
To minimize risk, Koi Security issued clear guidelines for browser users:
-
Install extensions only from verified developers. Users should research the publisher and avoid tools with minimal history or inconsistent reviews.
-
Avoid extensions mimicking major wallets. Users should navigate to official websites for wallet tools and follow the links provided there.
-
Treat extensions as full software installations. Users must assess browser add-ons with the same scrutiny as desktop apps, especially if they interact with cryptocurrency wallets or payment platforms.
-
Use allowlists and monitoring tools. System administrators can implement policies that block unknown or untrusted extensions in enterprise environments.
-
Regularly audit installed extensions. Users should review their browser tools monthly, remove unused ones, and stay alert for suspicious updates or permissions.
Koi Security also urged wallet developers to monitor for clones and report impersonation promptly. Developers should consider building checksum verification or embedded authenticity checks to alert users of unauthorized duplicates.
The Road Ahead: Mitigating Browser-Level Threats
The campaign exploiting Firefox extensions highlights the need for robust cybersecurity frameworks in web browsing. As more users shift financial activities to browser environments, attackers will continue to exploit plugins, autofill tools, and form injectors.
Security experts must adapt by developing real-time monitoring, sandboxed browser environments, and strict plugin isolation. Platforms like Firefox and Chrome must enforce tighter controls on extensions that access user data.
In the crypto industry, security cannot remain optional. Wallet providers, exchanges, and users must recognize that even basic browsing behavior can lead to catastrophic losses. The fake extension campaign proves that even well-informed users can fall victim to cleverly designed traps.
As cybercriminals evolve, so must browser platforms, security companies, and crypto service providers. Awareness, education, and constant vigilance will define the line between safety and compromise in the digital world.
Also Read – Indian Stock Market Falls Amid Global Concerns
