Quick Takeaways
-
Malicious Campaign Uncovered: Koi Security has identified a vast campaign with over 40 fake Firefox extensions impersonating popular crypto wallets like Coinbase and MetaMask, designed to steal user credentials.
-
Ongoing Threat: Active since April 2025, the campaign continues to evolve with new fraudulent extensions appearing recently, exploiting trusted branding and misleading reviews to attract unsuspecting users.
-
Advanced Techniques: Attackers use tactics like cloning legitimate extensions and embedding malicious code to ensure seamless user experience while quietly harvesting wallet information and tracking victims.
- Possible Russian Connection: Investigations reveal clues pointing to a Russian-speaking threat group, including Russian-language coding elements, raising concerns about the origins and scale of the operation.
Hackers Target Crypto Users on Firefox with Fake Extensions
Cybersecurity firm Koi Security recently discovered a widespread campaign targeting cryptocurrency users who use Firefox. This operation employs over 40 counterfeit extensions masquerading as popular crypto wallet tools, such as Coinbase, MetaMask, and Trust Wallet.
When these fake extensions install, they stealthily steal users’ wallet credentials and send them to attackers. Thus, this puts user funds at immediate risk.
Koi Security revealed that the campaign has been active since April 2025. Moreover, new fraudulent uploads appeared as recently as last week. This indicates that the attackers continuously adapt their strategies to evade detection.
The malicious extensions trick users by copying the branding and reviews of legitimate tools. As a result, they appear reliable, leading more individuals to download them. Many of these extensions boasted hundreds of fake positive reviews, bolstering their deceptive reputations.
In some instances, attackers cloned genuine open-source wallets. They embedded harmful code while ensuring the extensions maintained normal functionality. This clever tactic allowed for credential theft without raising alarms.
Koi Security’s investigation traced the campaign’s tactics and revealed a coordinated effort focused on stealing credentials and tracking users in the crypto landscape. The firm has urged Firefox users to check their installed extensions immediately and uninstall anything suspicious. Additionally, users should rotate their wallet credentials as a precaution.
Koi Security is working with Mozilla to remove these malicious extensions and monitor for new threats.
Interestingly, evidence hints at a Russian-speaking threat group being behind this campaign. Koi Security found Russian-language notes in the extension’s code, suggesting the operation may involve Russian-speaking actors. This adds another layer of concern for users.
As this campaign unfolds, it highlights the importance of cybersecurity awareness in the rapidly evolving cryptocurrency sector. Users must remain vigilant and verify the authenticity of tools they use.
Expand Your Tech Knowledge
Explore the future of technology with our detailed insights on Artificial Intelligence.
Discover archived knowledge and digital history on the Internet Archive.
Disclaimer
This content is for informational and entertainment purposes only and does not constitute financial or investment advice. Cryptocurrency is highly speculative and carries significant risk, including the potential loss of your entire investment. Do not make financial decisions based on this information. Consult a licensed financial advisor before investing. This site does not offer, sell, or advise on cryptocurrency, securities or other regulated financial products in compliance with SEC and applicable laws. Please do your own research and seek professional advise.
CryptoV1
