Cybersecurity researchers have discovered over 40 malicious browser extensions from Mozilla Firefox, designed to steal cryptocurrency wallet secrets and put users’ digital assets at risk.
“These extensions impersonate legal wallet tools from widely used platforms such as Coinbase, Metamask, Trust Wallet, Phantom, Exodus, OKX, Keplr, Mymonero, Bitget, Leap, Ethereum Wallet, and Filfox.”
The massive campaign is said to have been ongoing since at least April 2025, with the new extension being uploaded to the Firefox Add-on Store as last week.
The identified extensions are known to artificially inflate popularity, adding 5-star reviews, far more than the total number of active installs. This strategy has been adopted to give them an illusion of credibility, making them appear to be widely adopted and installing unsuspecting users.
Another tactic adopted by threat actors to strengthen their trust involves passing these add-ons as legal wallet tools using the same name and logo.
The fact that some of the actual extensions were open source allowed attackers to clone the source code, extract wallet keys and seed phrases from targeted websites, and inject their own malicious features to extract them to remote servers. It has also been discovered that fraudulent extensions send the victim’s external IP address.
Unlike typical phishing scams that rely on fake websites and emails, these extensions work within the user’s browser. It’s much more difficult to detect or block with traditional endpoint tools.
“This low-efficiency, impactful approach allowed actors to maintain the expected user experience while reducing the likelihood of immediate detection,” Lonen said.
The presence of Russian comments in the source code and the metadata retrieved from PDF files retrieved from the Command and Control (C2) server used for the activity points to the Russian-speaking threat actor group.
All identified add-ons except for the Mymonero wallet were subsequently defeated by Mozilla. Last month, browser makers said they developed an “early detection system” to detect and block fraudulent Crypto wallet extensions before gaining popularity among users, and that it will be used to allow users to enter their qualifications and steal users’ assets.
To mitigate the risk poses of such threats, we recommend that you install extensions only from verified publishers and avoid quietly changing their post-installation behavior.
Source link
