Crypto Wallets at Risk: Malicious Firefox Add-ons Uncovered

🟪 𝗪𝗵𝗮𝘁'𝘀 𝗛𝗮𝗽𝗽𝗲𝗻𝗶𝗻𝗴?

A recent discovery by Koi Security reveals over 40 malicious Firefox browser extensions that were secretly harvesting crypto wallet secrets from users. Disguised as legitimate tools like MetaMask, Coinbase, and Trust Wallet, these fake add-ons made their way into the official Mozilla Add-ons store, catching users off guard and putting their digital assets in danger.

🧩 𝗛𝗼𝘄 𝘁𝗵𝗲 𝗔𝘁𝘁𝗮𝗰𝗸 𝗪𝗼𝗿𝗸𝘀

These malicious extensions used cloned branding, logos, and source code from real wallet extensions. To gain trust, they faked hundreds of 5-star reviews — making them look popular and reliable.

Once installed, they began collecting seed phrases, wallet keys, and even IP addresses, sending them back to attacker-controlled servers. Despite mimicking trusted tools, the extensions carried hidden functions designed to steal credentials quietly, all while appearing to work normally. Clues in the code suggest involvement of a Russian-speaking threat group.

🚨 𝗪𝗵𝘆 𝗜𝘁 𝗠𝗮𝘁𝘁𝗲𝗿𝘀

These attacks bypass traditional phishing tactics — there are no fake emails or shady links involved. Instead, the attack lives inside the browser, making it harder to detect.

Victims risk losing full access to their wallets and sensitive files. And because it looks legit, many users don’t realize they've been compromised until it’s too late. It's a low-effort, high-impact technique that's quickly becoming a major concern in the crypto space.

🛡️ 𝗦𝘁𝗮𝘆𝗶𝗻𝗴 𝗦𝗮𝗳𝗲

  • Stick to browser add-ons from verified developers only.

  • Don’t trust popularity—check recent reviews and developer history.

  • Use hardware wallets or dedicated apps to store sensitive info.

  • Monitor browser extensions regularly and remove those you don’t use.

  • If something feels off, report it to Mozilla and do a full device scan.

🧾 𝗙𝗶𝗻𝗮𝗹 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀

This campaign serves as yet another reminder that even official browser extension stores aren’t entirely safe from abuse. Cybercriminals are getting smarter, blending malicious code into tools that look and feel legit. The key takeaway? Stay cautious, stay updated, and always verify what you’re installing — especially when your digital assets are on the line. Resources: https://thehackernews.com/2025/07/over-40-malicious-firefox-extensions.html https://www.tradingview.com/news/u_today:f123e0d9f094b:0-crypto-alert-these-40-firefox-extensions-can-instantly-drain-your-wallet/

https://cointelegraph.com/news/over-40-crypto-stealing-firefox-extensions-discovered

https://cryptorank.io/news/feed/afd80-koi-exposes-40-malicious-crypto-wallet-extensions-in-firefox-store-targeting-seed-phrases