Cybersecurity firm Koi Security has uncovered a large-scale malicious campaign targeting cryptocurrency users through fake Firefox extensions.
The campaign involves more than 40 extensions impersonating widely used crypto wallet tools.
This includes Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. Once installed, these extensions silently steal wallet credentials and exfiltrate them to attacker-controlled servers, placing user assets at immediate risk.
Crypto Users At Risk
In its latest post, Koi Security revealed that the campaign has been active since at least April 2025. In fact, new fraudulent uploads appeared on the Mozilla Add-ons store as recently as last week, which indicated that the operation is ongoing, adaptive, and persistent.
These extensions transmit victims’ external IP addresses during initialization, likely for tracking or targeting, while extracting wallet secrets directly from targeted sites. By copying ratings, reviews, and branding, the attackers make their extensions look trustworthy, which eventually leads more users to download them.
Many of the phony extensions carried hundreds of fake positive reviews, exceeding their actual user base, which allowed them to appear widely adopted and reputable within the Mozilla Add-ons ecosystem.
In several cases, attackers were found to have cloned real open-source wallet extensions and embedded malicious logic while maintaining expected functionality. This was done to avoid detection and ensure a seamless user experience, a tactic that allowed continued credential theft without raising suspicion.
Koi Security’s investigation traced the campaign’s shared infrastructure and tactics, techniques, and procedures (TTPs) across the extensions and revealed a coordinated operation focused on credential harvesting and user tracking within the crypto ecosystem. It urged Firefox users to review installed extensions immediately, uninstall suspicious tools, and rotate wallet credentials where possible.
The firm also said that it is actively collaborating with Mozilla to remove identified malicious extensions and to monitor for further uploads linked to this campaign.
Russian Clues in Campaign Code
Evidence suggests a Russian-speaking threat group may be behind the campaign. Koi Security claimed to have found Russian-language notes hidden in the extension’s code and metadata from a PDF on a control server showing Russian text.
These hints are not final proof but point to a possible Russian-language actor running the operation.
The latest report surfaces months after a potential Russia-linked crypto phishing scam using fake Zoom meeting links to steal millions was detected by SlowMist. The blockchain security firm traced the malware’s activity to a server in the Netherlands but found Russian-language scripts in the attackers’ tools, which indicated possible Russian-speaking operatives. The attackers drained wallets and converted stolen assets into ETH across major exchanges.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
Cybersecurity firm Koi Security has uncovered a large-scale malicious campaign targeting cryptocurrency users through fake Firefox extensions.
The campaign involves more than 40 extensions impersonating widely used crypto wallet tools.
This includes Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. Once installed, these extensions silently steal wallet credentials and exfiltrate them to attacker-controlled servers, placing user assets at immediate risk.
Crypto Users At Risk
In its latest post, Koi Security revealed that the campaign has been active since at least April 2025. In fact, new fraudulent uploads appeared on the Mozilla Add-ons store as recently as last week, which indicated that the operation is ongoing, adaptive, and persistent.
These extensions transmit victims’ external IP addresses during initialization, likely for tracking or targeting, while extracting wallet secrets directly from targeted sites. By copying ratings, reviews, and branding, the attackers make their extensions look trustworthy, which eventually leads more users to download them.
Many of the phony extensions carried hundreds of fake positive reviews, exceeding their actual user base, which allowed them to appear widely adopted and reputable within the Mozilla Add-ons ecosystem.
In several cases, attackers were found to have cloned real open-source wallet extensions and embedded malicious logic while maintaining expected functionality. This was done to avoid detection and ensure a seamless user experience, a tactic that allowed continued credential theft without raising suspicion.
Koi Security’s investigation traced the campaign’s shared infrastructure and tactics, techniques, and procedures (TTPs) across the extensions and revealed a coordinated operation focused on credential harvesting and user tracking within the crypto ecosystem. It urged Firefox users to review installed extensions immediately, uninstall suspicious tools, and rotate wallet credentials where possible.
The firm also said that it is actively collaborating with Mozilla to remove identified malicious extensions and to monitor for further uploads linked to this campaign.
Russian Clues in Campaign Code
Evidence suggests a Russian-speaking threat group may be behind the campaign. Koi Security claimed to have found Russian-language notes hidden in the extension’s code and metadata from a PDF on a control server showing Russian text.
These hints are not final proof but point to a possible Russian-language actor running the operation.
The latest report surfaces months after a potential Russia-linked crypto phishing scam using fake Zoom meeting links to steal millions was detected by SlowMist. The blockchain security firm traced the malware’s activity to a server in the Netherlands but found Russian-language scripts in the attackers’ tools, which indicated possible Russian-speaking operatives. The attackers drained wallets and converted stolen assets into ETH across major exchanges.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
