Cybersecurity researchers have uncovered a significant threat targeting cryptocurrency users, revealing over 40 malicious browser extensions for Mozilla Firefox. These deceptive extensions are specifically designed to steal sensitive cryptocurrency wallet secrets, directly jeopardizing users’ digital assets. According to Yuval Ronen, a researcher at Koi Security, these rogue extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox, creating a broad attack surface against unsuspecting users.

Large-Scale Campaign and Deceptive Tactics

This large-scale malicious campaign has reportedly been active since at least April 2025, with new extensions continuously being uploaded to the Firefox Add-ons store as recently as last week. To deceive users and create an illusion of authenticity, the threat actors artificially inflate the popularity of these identified extensions by adding hundreds of fake 5-star reviews. These fabricated reviews often far exceed the actual number of active installations, a cunning strategy employed to make the malicious add-ons appear widely adopted and trustworthy, thereby tricking users into installing them.

Cloning Legitimate Code for Malicious Purposes

Another deceptive tactic employed by the threat actor to bolster trust involves meticulously passing off these add-ons as legitimate wallet tools, using identical names and logos of popular cryptocurrency wallets. The attackers exploited the fact that some of the actual, legitimate extensions were open-source, allowing them to clone the original source code. They then injected their own malicious functionality, designed to extract wallet keys and seed phrases from targeted websites and covertly exfiltrate this sensitive data to a remote server. The rogue extensions were also found to transmit the victims’ external IP addresses, adding another layer of data theft.

Stealthy Operation Evades Traditional Detection

Unlike typical phishing scams that rely on fake websites or deceptive emails, these malicious extensions operate directly inside the user’s browser environment. This in-browser operation makes them significantly harder to detect or block using traditional endpoint security tools, which are often designed to identify external threats. Yuval Ronen noted that this “low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection,” enabling the scams to persist for longer periods without raising immediate alarms.

Russian-Speaking Threat Actor Suspected

Evidence gathered during the investigation points towards a Russian-speaking threat actor group being responsible for this widespread malicious activity. The presence of Russian language comments embedded within the source code of the extensions, along with metadata obtained from a PDF file retrieved from the command-and-control (C2) server used for the activity, strongly suggests this attribution. This linguistic and technical footprint provides crucial intelligence for cybersecurity experts tracking the origins and operations of such sophisticated cybercriminal enterprises.

Mozilla’s Response and Early Detection Efforts

Following the discovery, all identified malicious add-ons, with the single exception of MyMonero Wallet, have since been taken down by Mozilla. In a proactive measure last month, the browser maker announced the development of an “early detection system.” This system is specifically designed to identify and block scam crypto wallet extensions before they can gain popularity among users and be exploited to steal assets by tricking individuals into entering their credentials, representing a significant step in enhancing browser security against such evolving threats.

Mitigating Risks: User Vigilance is Key

To effectively mitigate the risks posed by such sophisticated threats, users are strongly advised to exercise extreme caution when installing browser extensions. It is paramount to install extensions only from verified publishers and to thoroughly vet them to ensure they do not silently change their behavior post-installation. This vigilance, combined with the efforts of browser developers and cybersecurity researchers, forms a crucial defense line against the continuous evolution of crypto-related scams that leverage browser extensions as a stealthy attack vector.