Cybersecurity researchers have uncovered over forty malicious browser extensions that have been created for Mozilla Firefox. These specific browser extensions are designed to steal cryptocurrency wallet secrets, putting many users’ digital assets at risk. The extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, and Trust Wallet. This large-scale campaign is said to have been ongoing since at least April 2025, with new malicious extensions uploaded. New extensions were uploaded to the Firefox Add-ons store as recently as last week, indicating an ongoing threat.
The identified extensions have been found to artificially inflate their popularity by adding hundreds of fake five-star reviews. These reviews go far beyond the total number of the active installations for the browser extensions. This strategy is employed to give them an illusion of authenticity, making them seem widely adopted by users. Another tactic adopted by the threat actor is to pass off these add-ons as legitimate wallet tools. They use the same names and logos as the real extensions to trick unsuspecting users into installing them.
The attackers injected their own malicious functionality to extract wallet keys and important seed phrases from websites.
They then exfiltrate this stolen data to a remote command-and-control server that is operated by the threat actors. The rogue extensions have also been found to transmit the victims’ external IP addresses back to the attackers. Unlike typical phishing scams, these extensions operate directly inside the user’s browser, making them harder to detect. The presence of Russian language comments in the source code points to a Russian-speaking threat actor group.
All of the identified malicious add-ons have since been taken down from the store by Mozilla.
Last month, the browser maker said it has developed an “early detection system” to block these scam extensions. This system is designed to detect and block scam crypto wallet extensions before they can gain much popularity. To mitigate the risk posed by such threats, it’s advised to install extensions only from verified publishers. Users should also vet extensions to ensure that they don’t silently change their behavior after being installed.
Reference:
