Alert: More than 40 fake Firefox extensions steal your cryptocurrencies
By Canuto
Users of dozens of popular cryptocurrency wallet applications such as Metamask, Exodus, Phantom, Coinbase and others are threatened in this campaign that takes advantage of Firefox malicious extensions.
***
- More than 40 malicious extensions of Firefox are passed through legitimate cryptocurrency wallets.
- False extensions steal wallet credentials such as Metamask, Coinbase and Trust Wallet.
- The campaign, active since April 2025, is still valid and uses advanced supplant tactics and false reviews.
- It is advisable to install only verified extensions and monitor continuously updates.
Alert cryptocurrency enthusiasts who use Firefox: A new report of Koi Security He has uncovered one of the most alarming cyber attack campaigns against digital asset users, directed through false extensions in Firefox.
According to analysts of Koi Securityat least 40 malicious extensions have been detected by supplanting wallets widely used as Coinbase, Metamk, Trust Wallet, Phantom, exodus, okx, Ethereum Wallet and others.
The extensions are presented as legitimate applications, copying names, images and functionalities of the official versions, and even including apparent positive reviews of users. Its true objective: Silent stealing the Cryptocurrency Wallets credentials of users and send them to servers controlled by the attackers.
The threat is not something of the past since the campaign remains active, with new extensions published until last week, according to the report. “Until now, we have been able to link more than 40 extensions different to this campaign, which is still ongoing and very alive“the researchers warned in a publication on Wednesday.
Massive Firefox campaign to steal cryptocurrencies
The campaign, which has been active from at least April, is dedicated to extracting wallet credentials directly from specific websites and loading them on a remote server controlled by the attacker, according to the report.
Not conforming to that, malicious actors also transmit the victim’s external IP address, probably for monitoring or segmentation purposes, adds the publication.
One of the alarming aspects is the confidence generated by cybercriminals around their false exploited extensions of legal mechanisms of legitimacy such as brand image, names and logos identical to the true ones, but, especially, the manipulation of reputation through the mass creation of false assessments and reviews.
Several of the malicious extensions had hundreds of five -star reviewsa trick that, added to the use of names and logos identical to the real ones, increases the probability that unsuspecting Internet users trust and discharge the incorrect complement.
In addition, the actors They would have taken advantage of the fact that many of the wallets are open source. When closing this code and inserting its own malicious logic into it, they managed to create almost identical extensions to the authentic ones, which even behaved as expected but secretly robbed confidential data of the users.
Signals point to Russian speech hackers
As for those responsible for the campaign, although its full identification is not an easy task, the investigations of Koi Security They have found multiple indications that suggest the participation of a Russian speech actor or group.
Among the clues found, comments in Russian language are inserted in the code of extensions and metadata in a PDF file recovered from one of the command and control servers used to coordinate the operation.
Safety alerts and recommendations
Taking advantage of platforms such as the accessories store of Firefoxthe campaign has evaded security measures by replicating the user experience and responding to legitimate software updates, making immediate detection difficult.
The investigation of Koi Security It included a detailed list of extensions and domains used for the campaign, appearing variants of “Bitget”, “Coinbasewallet”, “Eth-Wallet”, “Filfox-Wallet”, “Keplr-Wallet”, “Leap-Wallet”, “Metamask”, “Mew-Wallet-Ethereum-Defi-Web3”, “Official-Metamask”, “OKX-Wallet-Extension”, “Phantom-Wallet-Extension” and “Trust-Wallet-Mozilla-ADD”, among many others.
Given the persistence and sophistication of the campaign, the team has recommended YoNstalar extensions only from verified editorsmaintaining a critical attitude even in the face of the numerous positive reviews, to minimize the risk. He also advised to treat extensions as complete software assets, use permissions and monitoring unexpected behaviors or updates.
The operation –until now– It seems to have overlooked the existing monitoring systems, representing a devastating blow to the confidence in the extension ecosystem Open Source linked to cryptocurrencies. No information on the scope of the campaign has been provided in terms of the victims count or the amount of stolen cryptocurrencies.
Article written with the help of AI, by Hannah Estefanía Pérez / Diariobitcoin
Image generated with AI, under free use license
WARNING: Diariobitcoin offers informative and educational content on various topics, including cryptocurrencies, AI, technology and regulations. We do not provide financial advice. Cryptactive investments are high risk and may not be adequate for all. Investigate, consult an expert and verify the applicable legislation before investing. I could lose all its capital.
Subscribe to our newsletter
