Malicious Firefox Wallet Extensions Target Crypto Users in Ongoing Campaign
Published at:2025年07月03日 17:29
Views:529
Security researchers from Koi have uncovered an active campaign distributing fraudulent wallet extensions through Firefox's official add-on marketplace. These malicious applications impersonate popular cryptocurrency wallets like MetaMask, Coinbase Wallet, and Trust Wallet, compromising users' private keys and leaving their funds vulnerable to theft.
The SlowMist security team has also issued warnings about this ongoing attack, noting that while some fake extensions have been removed, others remain active on the platform. According to their investigation, over 40 counterfeit extensions are currently impersonating major wallet providers including Phantom, OKX, Exodus, and Keplr.
Analysis reveals attackers are cloning open-source wallet code (such as MetaMask's) and injecting malicious scripts. These fake extensions not only steal wallet credentials but also transmit users' IP addresses to attacker-controlled servers for potential future targeting. Security experts have traced technical evidence suggesting Russian involvement in the campaign.
The fraudulent extensions first appeared in April 2025 and continue to evolve, with new variants emerging. They're particularly dangerous due to their distribution through Firefox's official channels and use of authentic-looking branding. Security teams recommend users:
1. Only download wallet apps from official websites
2. Be skeptical of extensions with suspiciously perfect ratings
3. Implement allow-list filtering for added protection
This discovery comes amid increasing crypto-related cyber threats in 2025, including attacks linked to North Korean hacking groups.
The SlowMist security team has also issued warnings about this ongoing attack, noting that while some fake extensions have been removed, others remain active on the platform. According to their investigation, over 40 counterfeit extensions are currently impersonating major wallet providers including Phantom, OKX, Exodus, and Keplr.
Analysis reveals attackers are cloning open-source wallet code (such as MetaMask's) and injecting malicious scripts. These fake extensions not only steal wallet credentials but also transmit users' IP addresses to attacker-controlled servers for potential future targeting. Security experts have traced technical evidence suggesting Russian involvement in the campaign.
The fraudulent extensions first appeared in April 2025 and continue to evolve, with new variants emerging. They're particularly dangerous due to their distribution through Firefox's official channels and use of authentic-looking branding. Security teams recommend users:
1. Only download wallet apps from official websites
2. Be skeptical of extensions with suspiciously perfect ratings
3. Implement allow-list filtering for added protection
This discovery comes amid increasing crypto-related cyber threats in 2025, including attacks linked to North Korean hacking groups.
Related Tags
Firefox
cryptocurrency
wallet security
malicious extensions
cyber attack