Cybersecurity firm Koi Security has uncovered a large-scale malicious campaign involving over 40 fake Firefox extensions designed to steal crypto wallet credentials from unsuspecting users.
The malicious extensions impersonate legitimate wallet tools from well-known platforms, including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.
According to Koi Security, the campaign has been active since at least April 2025, with new malicious extensions uploaded to the Firefox Add-ons store as recently as last week.
The extensions extract wallet credentials directly from targeted websites and transmit them to remote servers controlled by attackers.
Notably, OKX has previously warned users in January about fake OKX Wallet Firefox extensions, confirming the exchange had not released any Firefox plugins.
The exchange filed complaints with Firefox officials, requesting the removal of the fraudulent browser extensions, while advising users to transfer their wallet assets immediately if they had installed malicious plugins.
Sophisticated Trust-Building Tactics Fool Thousands of Users
The malicious campaign employed sophisticated trust-building mechanisms to increase installation rates and avoid immediate detection.
Many extensions featured hundreds of fake 5-star reviews that far exceeded their actual user bases, creating the appearance of widespread adoption and positive community feedback.
Threat actors carefully mimicked legitimate wallet tool branding, using identical names and logos to real services they impersonated.
This visual similarity increased the likelihood of accidental installations by users searching for official cryptocurrency wallet extensions.
The attackers exploited the open-source nature of legitimate wallet extensions by cloning authentic codebases and inserting malicious logic.
This approach allowed them to maintain expected user experiences while secretly exfiltrating sensitive wallet data in the background.
This strategy reduced development time while increasing the likelihood that security tools would miss malicious modifications to otherwise legitimate code.
Some malicious extensions remained undetected for extended periods due to their functional similarities to legitimate wallet tools.
Users experienced standard wallet functionality while their credentials were simultaneously transmitted to an attacker-controlled infrastructure.
Hardware and Software Attacks Expand Beyond Browser Extensions
The Firefox extension campaign represents one vector in an expanding ecosystem of cryptocurrency theft methods targeting both software and hardware security measures.
According to a recent report by Cryptonew, a Chinese crypto investor lost nearly $7 million after purchasing a fake cold wallet through Douyin, TikTok’s Chinese platform.
Crypto investor loses $6.9 million after buying fake cold wallet on Chinese TikTok as sophisticated hardware scams evolve beyond traditional phishing to compromise trusted security devices.#ColdWallet #CryptoScam #TikTokhttps://t.co/DnbI4arD8V
— Cryptonews.com (@cryptonews) June 16, 2025
The sophisticated hardware trap compromised the wallet’s private key generation at the fundamental level.
When the victim initialized the device, it generated keys already known to attackers, creating a false sense of security while providing criminals complete access to funds.
Similarly, Cybersecurity firm Moonlock recently warned about fake Ledger Live applications targeting macOS users through the Atomic macOS Stealer malware.
The malware embedded across at least 2,800 compromised websites replaces genuine Ledger Live applications with fake versions that harvest seed phrases through convincing pop-ups.
Attackers are also expanding their reach beyond hardware and software. Physical phishing attacks have emerged through traditional mail systems, with scammers impersonating Ledger and sending fake letters via USPS.
The letters urge users to “validate” their wallets through QR codes that link to phishing sites designed to steal private keys.
This latest discovery adds to the growing threat from sophisticated attackers to the crypto industry.
Crypto investors lost more than $2.2 billion to hacks, scams, and security breaches in the first half of 2025 alone, according to CertiK’s security report.
Wallet-related breaches alone accounted for $1.7 billion across just 34 attacks, while phishing followed with over $410 million stolen in 132 incidents.
Ethereum remained the most targeted blockchain, experiencing 175 security events and over $1.6 billion in losses.
Crypto investors have lost $2.2B to hacks and scams in H1 2025, with $187M recovered as threats shift, reports @CertiK.#CryptoSecurity #Cryptohacks https://t.co/5KCaVsYnbg
— Cryptonews.com (@cryptonews) June 30, 2025
The largest hack occurred in February when crypto exchange Bybit suffered a breach resulting in theft of more than $1.5 billion in liquid-staked ETH and MegaETH.
Code vulnerabilities caused $229 million in damages during May 2025 alone, representing a massive jump from just $5 million in April.
Physical “wrench attacks” targeting crypto holders have surged globally, with at least 32 reported incidents in 2025, putting the year on pace to surpass 2021’s record of 36 attacks.
The post 40+ Fake Firefox Wallet Extensions Are Stealing Your Crypto, Koi Security Warns appeared first on Cryptonews.
