Fake Firefox Extensions Impersonate MetaMask, Coinbase to Steal Cryptocurrency
Published at:2025年07月03日 18:30
Views:333
Cybersecurity researchers from Koi Security have identified more than 40 malicious Firefox browser extensions designed to steal cryptocurrency wallet credentials by mimicking popular platforms such as MetaMask, Coinbase, and OKX. This sophisticated campaign, active since April 2025, exploits vulnerabilities in Mozilla's extension vetting process, allowing the fake plugins to remain available on the official Add-ons store.
These fraudulent extensions employ deceptive tactics by replicating legitimate wallet interfaces with high precision - copying names, logos, and even source code from open-source projects while secretly injecting malicious functionality. The targeted brands include major cryptocurrency platforms like Trust Wallet, Phantom, Exodus, and others.
According to Koi Security's report, the malware operates stealthily after installation, harvesting wallet credentials and transmitting them to attacker-controlled servers. The extensions also collect users' IP addresses, potentially for additional attack profiling. To increase downloads, perpetrators manipulate the Firefox store's rating system with hundreds of fake five-star reviews.
Evidence suggests the operation may originate from Russian-speaking threat actors, based on code artifacts and server metadata analysis. The campaign demonstrates concerning persistence, with new variants continuing to emerge despite removal efforts through June 2025.
This incident highlights the growing threat of browser-based attacks as cryptocurrency adoption increases. Unlike traditional phishing, these malicious extensions bypass conventional security measures by operating with elevated browser permissions, often going undetected until significant damage occurs.
The tactic mirrors previous incidents across different browsers, including compromised Chrome extensions used for wallet draining. Security experts warn users to exercise extreme caution when installing any financial browser extensions and to verify authenticity through official channels only.
These fraudulent extensions employ deceptive tactics by replicating legitimate wallet interfaces with high precision - copying names, logos, and even source code from open-source projects while secretly injecting malicious functionality. The targeted brands include major cryptocurrency platforms like Trust Wallet, Phantom, Exodus, and others.
According to Koi Security's report, the malware operates stealthily after installation, harvesting wallet credentials and transmitting them to attacker-controlled servers. The extensions also collect users' IP addresses, potentially for additional attack profiling. To increase downloads, perpetrators manipulate the Firefox store's rating system with hundreds of fake five-star reviews.
Evidence suggests the operation may originate from Russian-speaking threat actors, based on code artifacts and server metadata analysis. The campaign demonstrates concerning persistence, with new variants continuing to emerge despite removal efforts through June 2025.
This incident highlights the growing threat of browser-based attacks as cryptocurrency adoption increases. Unlike traditional phishing, these malicious extensions bypass conventional security measures by operating with elevated browser permissions, often going undetected until significant damage occurs.
The tactic mirrors previous incidents across different browsers, including compromised Chrome extensions used for wallet draining. Security experts warn users to exercise extreme caution when installing any financial browser extensions and to verify authenticity through official channels only.
Related Tags
Cryptocurrency
Browser security
MetaMask
Coinbase
Wallet security