Over 40 fake Firefox add-ons impersonating major crypto wallets linked to active credential theft campaign: report

Security researchers have identified an extensive cybercriminal operation using dozens of fraudulent Firefox browser extensions to steal cryptocurrency wallet credentials from users. 

In a report released Wednesday, Koi Security warned that the sophisticated scheme involves over 40 malicious extensions that pose as legitimate wallet applications from popular cryptocurrency platforms. 

Specifically, the fake extensions impersonated legitimate tools from major crypto services such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. After users install these counterfeit extensions, they would secretly collect sensitive wallet information, potentially exposing victims' crypto assets to theft.

The attack is "ongoing and very much alive," with some extensions still available, the report said. "We can confirm that the campaign has been active since at least April 2025," the report added. "New malicious extensions were uploaded to Firefox Add-ons store as recent as last week. The ongoing nature of the uploads suggests that the operation is still active, persistent, and evolving."

In an attempt to gain trust from users, these fake extensions leveraged mechanisms such as ratings and reviews, with many of them having hundreds of fake five-star reviews, according to the report.

Koi Security also pointed out that there are signs pointing to a Russian-speaking threat actor, including Russian-language code comments within the malicious extensions and metadata recovered from PDF files hosted on command-and-control servers used in the operation. "While not conclusive, these artifacts suggest that the campaign may originate from a Russian-speaking threat actor group," the report said.

"We are aware of attempts to exploit Firefox's add-ons ecosystem using malicious crypto-stealing extensions. Through improved tooling and process, we have taken steps to identify and take down such add-ons quickly," a Firefox spokesperson told The Block, adding that the team recently published a blog post addressing the issue.

"Koi Security's report details part of this larger trend," the spokesperson said. "Many of the extensions mentioned in the report had already been removed by Mozilla's add-ons review team before publication, as well as dozens of others that have been submitted recently. We are in the process of reviewing the remaining few add-ons they identified as part of our ongoing commitment to protecting users."

Update: the story has been updated to add comment from Firefox's spokesperson