Fake Firefox Wallet Extensions Harvest Crypto Credentials

More than 40 counterfeit browser extensions designed for Mozilla Firefox have been linked to a persistent phishing campaign targeting cryptocurrency users, according to a report released Wednesday by cybersecurity firm Koi Security.

These malicious extensions impersonate widely used crypto wallets—including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, MyMonero, and Bitget—with the sole purpose of stealing users’ wallet credentials. Once installed, the extensions extract sensitive authentication data from targeted websites and transfer it to remote servers under the attacker’s control.

“So far, we were able to link over 40 different extensions to this campaign, which is still ongoing and very much alive,” Koi Security reported.

The operation, which has been active since at least April, remains underway. The most recent extensions were uploaded just last week, indicating continued and active threat actor engagement.

Social Engineering at Scale

Koi Security noted that the campaign employs convincing user interface designs, authentic-looking logos, and cloned functionalities from legitimate wallet providers. In several instances, attackers reused open-source code from official extensions, embedding malicious components to mimic the original user experience while quietly compromising security.

One particularly deceptive extension garnered hundreds of fabricated five-star reviews, a tactic aimed at reinforcing credibility and luring unsuspecting users.

“This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection.”

Evidence Points to Russian-Speaking Group

While definitive attribution remains elusive, Koi Security highlighted indicators suggesting involvement by a Russian-speaking threat group. These include Russian-language code comments and metadata discovered within a PDF document retrieved from a command-and-control server associated with the malware.

“While not conclusive, these artifacts suggest that the campaign may originate from a Russian-speaking threat actor group.”