Over 40 Fake Firefox Extensions Target Crypto Wallet Users in Active Credential Theft Campaign

Dozens of Malicious Firefox Add-ons Impersonate Major Crypto Wallets, Researchers Warn

Security experts have uncovered a major cybercriminal campaign targeting cryptocurrency users through a wave of counterfeit Firefox browser extensions. According to a report published Wednesday by Koi Security, more than 40 fake add-ons are actively impersonating popular crypto wallet apps in an effort to steal users’ credentials and gain access to their funds.

FoxyWallet: 40+ Malicious Firefox Extensions Exposed

Over 40 Malicious Wallet Extensions on Firefox: The Crypto Heist Hiding in Your Browser

Koi SecurityYuval Ronen

The fraudulent extensions pose as legitimate tools from widely used platforms, including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, and Keplr, among others. Once installed, these malicious add-ons silently harvest sensitive wallet data, putting users’ digital assets at serious risk.

Campaign Ongoing and Evolving

Koi Security's findings reveal the operation is still very much in motion. “We can confirm that the campaign has been active since at least April 2025,” the firm stated, noting that some of the malicious extensions were added to the official Firefox Add-ons store as recently as last week.

What makes the attack especially dangerous is how the threat actors have worked to gain user trust. Many of the fake extensions come loaded with hundreds of five-star reviews—almost certainly fabricated—to give the appearance of legitimacy and boost visibility.

"This isn’t a one-off event,” said researchers at Koi. “It’s a coordinated, persistent operation that’s continuing to upload new extensions, refine its tactics, and exploit user trust in browser marketplaces.”

Possible Russian-Speaking Threat Actors Involved

The report also points to digital fingerprints that may hint at the origins of the group behind the campaign. Analysts found Russian-language comments embedded in the code of the fake extensions, as well as metadata in PDF documents hosted on the operation’s command-and-control servers. While not definitive, the evidence suggests the involvement of a Russian-speaking threat actor.

Such attribution remains speculative, and Koi Security was careful to note that further investigation is needed to confirm the origin with certainty.

How to Protect Yourself

Users are urged to exercise caution when downloading browser extensions—especially those related to cryptocurrency management. Experts recommend only installing wallet extensions directly from verified sources, avoiding unfamiliar or duplicate entries in the Firefox Add-ons store, and being wary of unusually high ratings and reviews that may be artificially inflated.

Additionally, it’s good practice to regularly audit installed extensions, update security software, and store crypto assets in hardware wallets or trusted applications with multi-factor authentication.