Koi Security Exposes Over 40 Malicious Firefox Extensions Targeting Crypto Wallets
Published at:2025年07月03日 18:25
Views:506
Cybersecurity experts at Koi Security have identified a sophisticated operation involving more than 40 fraudulent Firefox extensions crafted to compromise cryptocurrency wallets. These malicious plugins impersonate legitimate wallet services from major platforms such as Coinbase, MetaMask, Trust Wallet, and other prominent providers.
The campaign, active since at least April 2025, continues to evolve with new fraudulent extensions being uploaded weekly to the Firefox Add-ons store. These fake plugins operate by stealthily harvesting wallet credentials from visited websites and transmitting them to attackers' servers.
Notably, OKX had previously warned users in January about counterfeit OKX Wallet extensions, clarifying that the exchange had never authorized any Firefox plugins. The company filed takedown requests with Mozilla while advising affected users to immediately secure their assets.
The attackers employed advanced social engineering tactics, including fabricated 5-star reviews and pixel-perfect imitation of legitimate wallet interfaces, to deceive users. By cloning authentic open-source wallet codebases and inserting malicious components, the attackers maintained functional interfaces while secretly siphoning sensitive data.
This threat emerges amid a broader landscape of crypto-related security risks. Recent incidents include a $7 million theft through counterfeit hardware wallets sold via Douyin (China's TikTok) and malware-infected Ledger Live clones affecting macOS users. Physical 'wrench attacks' against crypto holders have also seen a global resurgence.
According to CertiK's mid-2025 report, the cryptocurrency industry has suffered over $2.2 billion in losses from security breaches this year alone, with wallet-related incidents accounting for $1.7 billion across just 34 attacks.
The campaign, active since at least April 2025, continues to evolve with new fraudulent extensions being uploaded weekly to the Firefox Add-ons store. These fake plugins operate by stealthily harvesting wallet credentials from visited websites and transmitting them to attackers' servers.
Notably, OKX had previously warned users in January about counterfeit OKX Wallet extensions, clarifying that the exchange had never authorized any Firefox plugins. The company filed takedown requests with Mozilla while advising affected users to immediately secure their assets.
The attackers employed advanced social engineering tactics, including fabricated 5-star reviews and pixel-perfect imitation of legitimate wallet interfaces, to deceive users. By cloning authentic open-source wallet codebases and inserting malicious components, the attackers maintained functional interfaces while secretly siphoning sensitive data.
This threat emerges amid a broader landscape of crypto-related security risks. Recent incidents include a $7 million theft through counterfeit hardware wallets sold via Douyin (China's TikTok) and malware-infected Ledger Live clones affecting macOS users. Physical 'wrench attacks' against crypto holders have also seen a global resurgence.
According to CertiK's mid-2025 report, the cryptocurrency industry has suffered over $2.2 billion in losses from security breaches this year alone, with wallet-related incidents accounting for $1.7 billion across just 34 attacks.
Related Tags
crypto security
wallet extensions
phishing attacks
blockchain threats
cybersecurity