More than 40 fake browser extensions targeting cryptocurrency users have been discovered on the Firefox Add-ons store, according to cybersecurity firm Koi Security. These extensions impersonate trusted wallet tools like MetaMask, Coinbase, Trust Wallet, Phantom, Exodus, and others in order to steal sensitive wallet information such as seed phrases and private keys.

The campaign has been active since at least April 2025, with new add-ons uploaded as recently as last week. The attackers cloned open-source wallet extensions, inserted malicious code, and rebranded them with official names and logos to appear legitimate. They even padded the listings with fake 5-star reviews to boost credibility and lure users into installing them.

“These extensions impersonate legitimate wallet tools from widely-used platforms,” said Yuval Ronen, a researcher at Koi Security. He added that the low-effort but high-impact nature of the attack allowed it to fly under the radar while still mimicking the expected user experience.

Unlike phishing attacks that rely on fake websites or emails, these malicious add-ons operate directly within the user’s browser, making them much harder to detect or block. The extensions not only harvest wallet credentials but also send victims’ IP addresses to remote servers. Russian-language code comments and C2 server metadata suggest the involvement of a Russian-speaking threat group.

Mozilla has removed all identified malicious extensions except for one (MyMonero Wallet), which is still under investigation. The company recently introduced an early detection system to flag suspicious crypto-related add-ons before they can spread.

Users are urged to install extensions only from verified developers and remain cautious of apps that may silently change behavior after installation.