Malicious Extentions
Cybersecurity researchers uncovered over 40 Malicious browser extensions for Mozilla Firefox, all designed to steal Cryptocurrency wallet secrets and put users’ digital assets at serious risk.
Koi Security researcher Yuval Ronen explained, “These extensions impersonate legitimate wallet tools from widely used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.”
Notably, the large-scale campaign has operated since at least April 2025. In fact, new extensions appeared in the Firefox Add-ons store as recently as last week.
To manipulate perception, the operators of these extensions Artificially Inflated their popularity. They added hundreds of five-star reviews—far exceeding the number of actual active installations—in order to create a false sense of legitimacy and lure unsuspecting users.
Moreover, the threat actor strengthened trust by naming and branding the add-ons identically to authentic wallet tools, complete with matching logos.
Because some of the original extensions were open-source, the attackers cloned the source code, injected malicious functionality, and used it to extract wallet keys and seed phrases from targeted websites. They then exfiltrated this sensitive data to a remote server. Additionally, the rogue extensions transmitted the victims’ external IP addresses.
Unlike typical phishing scams that rely on fake websites or deceptive emails, these extensions operate directly within the user’s browser. As a result, they are far more difficult to detect or block with traditional endpoint security tools.
Ronen emphasized, “This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection.”
Furthermore, Russian-language comments in the source code—as well as metadata from a PDF file retrieved from the command-and-control (C2) server—indicate the involvement of a Russian-speaking threat actor group.
Conclusion
Mozilla has since removed all the identified add-ons except for the MyMonero Wallet. Last month, the browser developer introduced an “early detection system” aimed at Identifying and Blocking scam crypto wallet extensions before they gain traction and trick users into entering their Credentials.
To stay protected against these threats, users should only install extensions from verified publishers and thoroughly vet them to ensure they don’t change behavior after installation.
Source: TheHackerNews
Read more at Impreza News
