🚨 Alert: Over 40 Fake Crypto Wallet Extensions Pose Major Malware Risk on Browsers

Browser extensions masquerading as crypto wallets are fleecing users—again. Security researchers just flagged more than 40 malicious add-ons draining funds across Chrome and Firefox. Time to audit your plugins.

How the scam works: These extensions mimic legitimate wallets like MetaMask, complete with fake five-star reviews. Once installed, they siphon private keys or redirect transactions to attacker-controlled addresses. Classic wolf-in-sheep’s-code.

Why this keeps happening: Browser stores’ vetting processes have all the rigor of a meme coin’s whitepaper. Meanwhile, crypto’s ‘self-custody’ mantra meets its arch-nemesis: human laziness.

Pro tip: Stick to wallet apps downloaded from official sources—because in crypto, even your browser’s extension tab now needs a ‘DYOR’ warning.

How do fake wallets steal user credentials?

The fake wallet extensions extract user credentials directly through the websites they target and transmit them to a remote server controlled by the hackers. They can also use this mode of infiltration to uncover a user’s external IP address, most likely to track or target their other devices.

When displayed on the browser plug-in marketplace, the fake wallet mirrors major wallet platforms almost to the very last detail; they use identical names and logos of the service they are impersonating so that they are able to gain the user’s trust.

To make the fake wallet seem believable to the average viewer, the hackers use a tactic that is called review inflation. many of the malicious extensions had hundreds of fake 5-star reviews, far exceeding their actual user base.

This tactic makes the fake wallet extension appear widely adopted and positively reviewed, as if it were the real thing.

In some cases, Koi found that malicious actors took advantage of the fact that the original extensions are open source. Therefore, they are able to clone codebases and slip in their own malicious code into it.

“This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection,” wrote Koi.

However, users can look for signs that indicate the extension they intend to download is actually a fraud. These include the appearance of comments in the extension code written in Russian, and suspicious metadata found in the PDF file retrieved from a command server in the operation.

Users can stay SAFE from fake wallet attacks by only installing extensions from verified publishers and using an extension allow-list to restrict installation to pre-approved, validated plugins only.

Lately, hackers are getting more creative with ways to infiltrate crypto user wallets, ranging from fake job search sites to printer extensions. In fact, according to a NASAA survey, cryptocurrency and social media scams are considered a top threat to retail investors in 2025.