A large-scale campaign involving over 40 fake Firefox extensions has been identified, designed to steal cryptocurrency wallet credentials by impersonating legitimate wallet tools like MetaMask and Coinbase. The campaign, active since at least April 2025, employs fake reviews and cloned open-source code to deceive users and quietly exfiltrate sensitive data. #MetaMask #Coinbase #FirefoxExtensions #CryptocurrencyTheft
Keypoints
- Over 40 malicious Firefox extensions have been discovered stealing cryptocurrency wallet credentials by mimicking popular wallet tools.
- Targeted wallets include Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.
- The campaign has been active since at least April 2025 and continues to upload new fake extensions to the Firefox Add-ons store.
- Malicious extensions exfiltrate wallet secrets and victim IP addresses to attacker-controlled servers for tracking or targeting.
- Attackers used review inflation and branding imitation, including cloning open-source legitimate code with added malicious logic, to build user trust.
- Evidence points towards a Russian-speaking threat actor, including Russian-language comments and metadata from command-and-control servers.
- Recommendations include installing extensions only from verified publishers, using allowlists, and implementing continuous monitoring of extensions.
MITRE Techniques
- [T1587.001] Develop Capabilities: Malware – The malicious extensions are created by cloning open-source wallet tools and inserting malicious logic to steal credentials (“cloned the real codebases and inserted their own malicious logic”).
- [T1071.001] Application Layer Protocol: Web Protocols – Extensions exfiltrate wallet credentials and external IP addresses to remote servers controlled by attackers (“exfiltrate them to a remote server controlled by the attacker”).
- [T1499] Data Manipulation – The campaign inflates reviews and ratings with fake 5-star reviews to deceive users and gain trust (“many of the malicious extensions had hundreds of fake 5-star reviews”).
- [T1064] Scripting – Malicious logic embedded within browser extensions executes to steal data during initialization (“During initialization, they also transmit the victim’s external IP address”).
Indicators of Compromise
- [Firefox Extension Names] Malicious extensions impersonating wallets – bitget-extension, metamask-crypto-official, okx-wallet-extension, trust-wallet-mozilla, and over 40 others.
- [Domains] Command-and-control and infrastructure domains – exodlinkbase.digital, avalancheproject.digital, allextdev.world, sui rokboys.digital.
Read more: https://blog.koi.security/foxywallet-40-malicious-firefox-extensions-exposed-4c14419de486