Alert: 40+ Fake Crypto Wallet Extensions Found on Firefox—Is Your Portfolio Safe?
Firefox users beware—cybercriminals are upping their game with over 40 counterfeit crypto wallet extensions lurking in the browser’s add-on store. These malicious clones mimic legitimate wallets like MetaMask, waiting to drain unsuspecting investors’ funds with a single click.
How to spot the fakes? Check developer credentials, reviews, and download counts—but even that’s no ironclad guarantee. The irony? Traditional banks get flak for ‘security theater,’ yet crypto’s wild west leaves you playing sheriff.
Pro tip: Stick to official wallet websites, enable 2FA everywhere, and remember—if an extension promises ‘free ETH for signing in,’ it’s about as trustworthy as a Wall Street ‘sure thing.’
Inside The Fake Wallet Extensions on Firefox
The campaign, which remains active, was first detected as far back as April 2025. In their findings released Wednesday, Koi Security confirmed that the fake extensions had been uploaded to the Firefox Add-ons store as recently as last week.
Some of these extensions were still available at the time of the report, raising concerns about the continued exposure of users’ private keys and wallet data.
Once installed, the add-ons discreetly collected sensitive credentials, creating direct access points for attackers to steal users’ assets across multiple blockchain networks.
Security researchers say this operation poses a particular threat because of its longevity, stealth, and technical sophistication. The fact that new extensions are being uploaded even now suggests the campaign is not only active but persistent, evolving to avoid detection.
By mimicking widely used wallets and slipping through browser review systems, the actors behind this effort are leveraging both social engineering and technical spoofing to target crypto users.
Tactics, Attribution, and Broader Implications for Crypto Security
In an effort to establish credibility, many of the counterfeit extensions had been padded with hundreds of five-star ratings and positive reviews. These false signals of legitimacy likely helped persuade users to download the tools without suspecting foul play.
The extensions’ design, branding, and naming conventions also closely resembled those of official wallet providers, adding another LAYER of deception.
Koi Security researchers found several technical indicators suggesting a potential Russian-speaking group behind the campaign. Analysis of the extensions revealed Russian-language comments embedded in the code, and documents linked to the command-and-control infrastructure contained metadata in Russian.
While these clues are not definitive, they align with tactics seen in prior threat actor campaigns originating from Eastern Europe. “While not conclusive, these artifacts suggest that the campaign may originate from a Russian-speaking threat actor group,” the report noted.
The scale and persistence of the operation point to an organized effort. Koi Security emphasized that this isn’t a one-off exploit but an evolving tactic that could target other browsers and crypto platforms in the future.
The report recommends that users avoid downloading browser extensions outside of official wallet provider recommendations and double-check developer information on add-on pages. It also encourages users to inspect permissions requested by extensions and to remove any tool they did not explicitly install or no longer recognize.
Featured image created with DALL-E, Chart from TradingView
