Researchers at Koi Security, a cybersecurity company, have recently discovered a large-scale campaign involving dozens of fake Firefox browser extensions designed to steal cryptocurrency wallet credentials by impersonating popular wallet exchange tools. The campaign has been ongoing since at least April 2025, with new malicious extensions appearing as recently as last week. The persistent and evolving nature of this operation underscores the increasing sophistication of threats targeting cryptocurrency users via browser extensions.
Their research revealed that over 40 such extensions are currently active and available on the Firefox Add-ons marketplace. These malicious add-ons appear as popular wallet tools such as MetaMask, Coinbase, Trust Wallet, and others in hopes of tricking users into installing software that secretly exfiltrates sensitive data.
These fake extensions mimic well-known cryptocurrency wallets, but assets are at risk of theft as they operate silently after installation to steal private keys, seed phrases, and other sensitive data which is then transmitted to attacker-controlled servers. Many tactics are used for visual imitation of trusted brands, such as fake reviews and cloning of legitimate open-source code to appear legitimate and trustworthy.
Treat extensions as software assets, applying vetting and security policies. When choosing and managing browser extensions—especially those handling sensitive financial data—its crucial to maintain a proactive security stance is essential to protect your digital assets. Some tips include:
- When choosing tools, use only verified, trusted sources such as your browser’s extension store or developer’s official site.
- Review official developer information, reviews, and even update history to before installing.
- Monitor installed extensions regularly for unexpected changes.
- Limit installations to approved extensions within your organization.
This ongoing threat shows the importance of vigilance when managing software like extensions, especially those handling sensitive financial data, as well as the increasing sophistication of threats targeting cryptocurrency users via browser extensions.
Learn more about their security analysis, including a list of malicious extensions which are indicators of compromise, on their website here.
Leave a Reply