Over 40 malicious Firefox extensions have been stealing crypto wallets since April 2025 by impersonating trusted names like Coinbase, MetaMask, and Trust Wallet. These fake extensions look identical to the real ones, complete with bogus 5-star reviews. They work normally at first, then silently extract wallet keys and seed phrases in real time. Mozilla’s automated detection system plays catch-up, but attackers keep adapting their tactics. The digital heist continues evolving.
How naive can crypto holders be? Over 40 malicious Firefox extensions have been quietly draining wallets since April 2025, and many users probably installed them willingly.
These aren’t some obscure scam tools hiding in dark corners of the internet. They’re fake versions of trusted names like Coinbase, MetaMask, Trust Wallet, and Phantom.
The attackers aren’t particularly creative, but they’re effective. They clone legitimate open-source wallet extensions, inject malicious code, then slap on fake 5-star reviews to boost credibility.
Hundreds of glowing reviews, all fabricated. The extensions look identical to the real thing, complete with matching logos and names. Most users probably can’t tell the difference.
What makes this particularly brutal is how these extensions operate. They don’t immediately reveal their true nature. Instead, they function normally at first, lulling users into a false sense of security.
Meanwhile, they’re silently extracting wallet keys, seed phrases, and credentials in real time. Every sensitive piece of information gets transmitted to remote servers controlled by the attackers.
The scope is impressive, in a disturbing way. Chrome and Firefox users are both targets, but Firefox has seen a particularly large cluster of fake extensions.
The campaign focuses on widely-adopted wallets like Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. Smart strategy, really. Why target obscure wallets when you can go after the popular ones?
Even IP addresses get captured and transmitted during extension initialization. The attackers want to track their victims, possibly for future targeting.
Nothing says “thorough theft” like collecting location data alongside stolen crypto credentials.
Mozilla finally caught on and introduced an automated detection system for wallet extensions. The system generates risk profiles and alerts human reviewers when submissions exceed danger thresholds.
Malicious extensions get blocked immediately once discovered through this process.
But here’s the thing about automated systems, they’re reactive, not proactive. The campaign continues to evolve, and attackers adapt. Russian language comments in the source code suggest the threat actors are Russian-speaking, adding another layer to this international crypto heist. This threat landscape mirrors the broader crisis facing the crypto industry, where over 70,000 customers were at risk following Coinbase Global’s personal information breach in May 2025.
Firefox users are fundamentally playing a game of digital whack-a-mole, where the stakes are their entire crypto portfolios.
