Security researchers have discovered more than 40 rogue browser extensions for Mozilla Firefox that are hijacking users’ crypto wallets. The rogue extensions pose as legitimate ones from well-known platforms like Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox, putting users’ crypto funds in serious jeopardy.
According to Yuval Ronen of Koi Security, the malware campaign has been active since at least April 2025, and new extensions continue to be uploaded to the Firefox Add-ons store as recently as last week.
Over 40 malicious Firefox extensions identified – Directly targeting cryptocurrency wallets – Stealing user assets, keys, and seed phrases.
The identified extensions have been found to artificially inflate their popularity, adding hundreds of 5-star reviews that go far beyond the total number of active installations. This strategy is employed to give them an illusion of authenticity, making it seem like they are widely adopted and tricking unsuspecting users into installing them.
Another tactic adopted by the threat actor to bolster trust involves passing off these add-ons as legitimate wallet tools, using the same names and logos.
The fact that some of the actual extensions were open-source allowed the attackers to clone their source code and inject their own malicious functionality to extract wallet keys and seed phrases from targeted websites and exfiltrate them to a remote server. The rogue extensions have also been found to transmit the victims’ external IP addresses.
Unlike typical phishing scams that rely on fake websites or emails, these extensions operate inside the user’s browser making them far harder to detect or block with traditional endpoint tools.
“This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection,” Ronen said.
The presence of Russian language comments in the source code as well as metadata obtained from a PDF file retrieved from the command-and-control (C2) server used for the activity points to a Russian-speaking threat actor group.
All the identified add-ons with the exception of MyMonero Wallet have since been taken down by Mozilla. Last month, the browser maker said it has developed an “early detection system” to detect and block scam crypto wallet extensions before they gain popularity among users and are used to steal users’ assets by tricking them into entering their credentials.
To mitigate the risk posed by such threats, it’s advised to install extensions only from verified publishers and vet them to ensure that they don’t silently change their behavior post-installation.
