Firefox Crypto Nightmare: How Fake Wallet Extensions Are Draining Your Digital Fortune

Browser extensions masquerading as legitimate crypto wallets have infiltrated Mozilla's marketplace—and they're stealing millions.

These malicious add-ons mimic popular wallets like MetaMask, tricking users into surrendering private keys. Once installed, they quietly siphon funds to offshore wallets while victims sleep.

Security researchers found these fakes use near-identical branding and fake 5-star reviews to appear legitimate. The most sophisticated versions even include functional interfaces—until you try to withdraw funds.

Mozilla claims to vet all extensions, but the flood of new submissions makes manual review impossible. 'It's like hiring one bouncer for a stadium rave,' quipped one blockchain analyst.

Protect yourself: Only download from official sources, verify developer credentials, and never store large amounts in browser-based wallets. Remember—if an extension promises 20% APY, it's either a scam or a DeFi project about to collapse.

Counterfeit Extensions Attack Firefox Store

The fake extensions mimic the official logos and descriptions of leading cryptocurrency wallet services like MetaMask, presenting an air of legitimacy. By using popular keywords in store search results, they rapidly climb the download charts. Once installed, although the browser interface appears genuine, embedded scripts capture private keys and recovery phrases, sending them to malicious servers.

Koi Security noted that the malicious code is hidden within closed-source JavaScript modules, evading automated scans. By abusing Firefox’s permission management, the extensions demand extensive web-tracking rights and can capture user passwords entered in new tabs. Unwitting victims install what they believe is a single wallet extension, but actually become targets for multiple scripts.

Russian Clues Unmask Attackers

The report highlights discoveries of Russian comments in PDF files and source code notes hosted on the command-and-control servers linked to the malicious extensions. Although security researchers imply these clues suggest a Russian-speaking threat actor, they acknowledge the lack of definitive proof. However, geographic timestamps, file paths, and error messages reinforcing the same language bolster the findings.

Most importantly, since the initial attack in April, more than 60 versions have been uploaded, with the latest malicious deployment occurring just a week ago. These extensions continuously update and, when detection signatures emerge, change names to reappear under the radar. Koi Security advises that some copies remain unchecked in the Firefox store and urges users to upgrade extensions only through links redirected from official sites.