A new report from cybersecurity firm Koi Security has revealed a large-scale campaign involving fake Firefox browser extensions used to steal crypto wallet credentials. According to the research, more than 40 extensions were found impersonating popular crypto wallet tools, allowing attackers to siphon off sensitive information from unsuspecting users. These add-ons were designed to closely mimic legitimate applications from well-known platforms like MetaMask, Coinbase, Phantom, Trust Wallet, Exodus, OKX, and others. Inside The Fake Wallet Extensions on Firefox The campaign, which remains active, was first detected as far back as April 2025. In their findings released Wednesday, Koi Security confirmed that the fake extensions had been uploaded to the Firefox Add-ons store as recently as last week. Some of these extensions were still available at the time of the report, raising concerns about the continued exposure of users’ private keys and wallet data. Once installed, the add-ons discreetly collected sensitive credentials, creating direct access points for attackers to steal users’ assets across multiple blockchain networks . Security researchers say this operation poses a particular threat because of its longevity, stealth, and technical sophistication. The fact that new extensions are being uploaded even now suggests the campaign is not only active but persistent, evolving to avoid detection. By mimicking widely used wallets and slipping through browser review systems, the actors behind this effort are leveraging both social engineering and technical spoofing to target crypto users. Tactics, Attribution, and Broader Implications for Crypto Security In an effort to establish credibility, many of the counterfeit extensions had been padded with hundreds of five-star ratings and positive reviews. These false signals of legitimacy likely helped persuade users to download the tools without suspecting foul play. The extensions’ design, branding, and naming conventions also closely resembled those of official wallet providers, adding another layer of deception. Koi Security researchers found several technical indicators suggesting a potential Russian-speaking group behind the campaign. Analysis of the extensions revealed Russian-language comments embedded in the code, and documents linked to the command-and-control infrastructure contained metadata in Russian. While these clues are not definitive, they align with tactics seen in prior threat actor campaigns originating from Eastern Europe. “While not conclusive, these artifacts suggest that the campaign may originate from a Russian-speaking threat actor group,” the report noted. The scale and persistence of the operation point to an organized effort. Koi Security emphasized that this isn’t a one-off exploit but an evolving tactic that could target other browsers and crypto platforms in the future. The report recommends that users avoid downloading browser extensions outside of official wallet provider recommendations and double-check developer information on add-on pages. It also encourages users to inspect permissions requested by extensions and to remove any tool they did not explicitly install or no longer recognize. Featured image created with DALL-E, Chart from TradingView
