https://blog.koi.security/foxywallet-40-malicious-firefox-extensions-exposed-4c14419de486
More than 40 malicious browser extensions impersonating popular cryptocurrency wallets have flooded Firefox’s official add-ons store, designed to steal wallet credentials and sensitive data from unsuspecting users. The fake extensions masquerade as legitimate wallets from trusted providers including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero, incorporating malicious code that exfiltrates stolen information to attacker-controlled servers. Researchers at Koi Security discovered the campaign and identified evidence pointing to a Russian-speaking threat group behind the operation, which has been active since at least April 2025 with new malicious entries appearing as recently as last week.
The malicious extensions are sophisticated clones of open-source versions of legitimate wallets enhanced with dangerous functionality that monitors user inputs for sensitive data. The embedded code includes input and click event listeners that specifically target strings longer than 30 characters to identify realistic wallet keys and seed phrases, which are then secretly transmitted to the attackers. The extensions hide error dialogs from users by setting opacity to zero, preventing victims from detecting the malicious activity while their recovery phrases are being stolen. Since seed phrases serve as master keys for cryptocurrency wallets, obtaining them allows attackers to steal all digital assets in a wallet through transactions that appear legitimate and are irreversible.
Despite Mozilla’s development of an early detection system for crypto scam extensions that uses automated indicators and human reviewers, the fake wallet extensions continue to proliferate in the Firefox store. The threat actors build credibility by using authentic logos from the brands they impersonate and generating hundreds of fake five-star reviews, though some extensions also display numerous one-star reviews from victims reporting the scam. Although Koi Security reported their findings to Mozilla through official channels, the malicious extensions remained available at the time of their report, highlighting the ongoing challenge of combating cryptocurrency-focused malware in browser extension marketplaces where the sheer volume of fake reviews often exceeds actual installation numbers.