Firefox Users Under Siege: Malicious Wallet Extensions Drain Crypto in Latest Attack Wave

Another day, another crypto heist—only this time, the thieves didn’t need your private keys. They just needed you to trust Firefox.

Hackers are exploiting the browser’s extension ecosystem to hijack wallets, leaving users with drained balances and a harsh lesson in 'trust no software.' No need for phishing links or fake NFTs—just a poisoned plugin.

Security researchers report the attacks target mainstream wallets like MetaMask, slipping past Firefox’s vetting process. The extensions mimic legitimate tools, complete with fake reviews—because nothing says 'credible' like five stars from bot accounts.

Meanwhile, centralized exchanges are 'deeply concerned' (translation: quietly relieved it’s not their fault this time).

Pro tip: If your DeFi strategy includes 'clicking random browser add-ons,' maybe just Venmo your money to a stranger instead. Faster, same result.

Firefox fake extensions target the most widely used wallets

Koi intercepted fake apps for some of the most widely used wallet extensions, including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, ethereum Wallet, and Filfox. 

The researchers discovered over 40 apps posing as wallets, with new ones appearing. Some of the fake wallets are still active on unofficial links. According to researchers, the fake apps started spreading around April 2025. 

The extensions extract and send out wallet extensions, reaching a server controlled by the attacker. The apps also transmit the user’s IP address for tracking and further targeting. 

Attackers cloned the open-source code of legitimate wallets

The attack was relatively simple, often using the legitimate wallet code for open-source projects like MetaMask. The fake apps then injected the malicious code to allow the wallet to steal data and credentials. 

The fake wallet apps were active on app stores, using the same logos and style as the original wallet. Previously, faked wallets have targeted specific niche projects, but this time, the attacker spoofed multi-asset wallets, widely used for DeFi, trading, NFT and other on-chain tasks. 

Code analysis concluded the attack most likely originated from Russia, as Russian-language code comments were discovered in some of the apps. Metadata from a file on one of the command-and-control servers also points to a Russian attacker.

Koi advices users to install an allow list filter and avoid downloading apps without vetting. Some of the apps may not show problems, but later update and change their behavior. Security researchers also advice against searching apps directly, as the results may point to fake wallets with deliberately inflated five-star reviews. The best approach is to use the wallet’s official web page or social media. 

Users were also advised to be skeptical when seeing an app with too many five-star reviews, that were artificially placed to make the app seem established and legitimate. 

KEY Difference Wire: the secret tool crypto projects use to get guaranteed media coverage