Cryptocurrency scammers are exploiting Firefox browser extensions to steal wallet credentials, contributing to a staggering $2.5 billion in losses during the first half of 2025 alone. These fake extensions masquerade as legitimate security tools while secretly extracting website data and sending it to attacker-controlled servers. The malicious programs collect external IP addresses to track victims, then drain wallets once credentials are entered. Mozilla’s Add-ons team developed detection systems, but it’s fundamentally a cat-and-mouse game where sophisticated tactics continue evolving.
While most people worry about forgetting their passwords, cryptocurrency users face a much darker reality: scammers who make those passwords disappear along with everything else.
The numbers are staggering. Crypto scams and hacks have caused nearly $2.5 billion in investor losses in just the first half of 2025. That’s not a typo. The FBI reported $16.6 billion in global losses to crypto-related scams in 2024, with US losses jumping 66% compared to 2023. Apparently, scammers are having a banner year.
Browser extensions have become their weapon of choice. In July 2025, experts uncovered 45 fake Firefox extensions distributing malware designed to steal wallet credentials. These malicious programs don’t just grab your login details—they extract everything from websites and send it straight to attacker-controlled servers. Your external IP address goes along for the ride, helping criminals track and target you more effectively.
These digital pickpockets don’t just steal your passwords—they harvest everything and use your IP to hunt you down.
The fake extensions masquerade as legitimate wallet tools, fooling users into downloading digital pickpockets. Once installed, these programs work silently in the background, waiting for victims to enter their precious private keys. It’s like inviting a thief into your house and handing them your safe combination.
Wallet compromise and phishing remain the two most common methods hackers use to steal cryptocurrency funds. The scale is mind-boggling: 144 hacking or scam incidents occurred in Q2 2025 alone, bringing the year-to-date total to 344 incidents. Despite the massive losses, industry experts managed to recover approximately $180 million in stolen assets, highlighting the importance of asset recovery efforts in mitigating damages.
Two major incidents accounted for approximately $1.78 billion in thefts, including a $1.5 billion North Korea-related hack on Bybit. Wallet compromise accounted for about $1.71 billion in stolen funds, while phishing snatched approximately $410 million.
SlowMist managed to help victims freeze or recover about $12 million in stolen assets during Q2 2025, which sounds impressive until you realize it’s roughly half a percent of what was stolen.
Scammers employ crypto wallet drainers, fraudulent tools designed to empty wallets once credentials are entered. Some even use malicious firmware pre-installed on hardware wallets sold through unofficial channels. The attackers gain victims’ trust through fake ratings and reviews, making their malicious extensions appear legitimate and safe to download.
The Mozilla Add-ons team developed an early detection system analyzing risk profiles of crypto wallet extensions, but the cat-and-mouse game continues.
