Security researchers have uncovered a massive campaign involving more than 40 fake Firefox extensions. These malicious extensions are designed to steal users’ cryptocurrency wallet credentials.
The extensions pretend to be official tools from popular wallet platforms like Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, and others. Once installed, they secretly steal sensitive wallet information and send it to servers controlled by attackers.
The campaign, discovered by Koi Security, has been active since at least April 2025. Shockingly, some of these extensions are still available in the official Firefox Add-ons store. The attackers continue to upload new versions. It shows that the campaign is still active and evolving.
To build trust, these extensions used several tricks. They copied the names and logos of real wallets to look authentic. Many of them had hundreds of fake 5-star reviews to appear popular and trustworthy.
Some even used real open-source wallet code and added hidden malicious scripts. This made the extensions work normally, so users would not suspect anything was wrong.
The extensions also collected users’ external IP addresses during setup, likely for tracking purposes.
While it is not confirmed, there are signs that the attackers may be Russian-speaking. Researchers found Russian-language comments in the code and metadata in files linked to the campaign.
List of Malicious Firefox Extensions Involved
Below is a list of known malicious extensions used in the campaign. These were designed to mimic popular crypto wallets and steal user credentials:
- bitget-by-addon
- bitget-by-addons
- bitget-extension
- btc-wallet
- coinbasewallet
- developer-trust
- eth-for-edition
- eth-wallet
- ethereum-wallet
- ethereum-wallet-crypto
- fil-project
- filfox
- filfox-wallet
- is-a-block-explorer
- keplr-wallet
- leap-wallet
- metamask-addons
- metamask-crypto-official
- metamask-for-firefox
- metamask-for-wallet
- metamask-the-extension
- metamaskext
- mew-wallet-ethereum-defi-web3
- mymonero-wallet
- official-metamask
- official-metamask-wallet
- okx-add
- okx-addons
- okx-wallet-extension
- okx-wallet-extension1
- phantom-ext-off
- phantom-wallet-extension
- trust-app
- trust-application
- trust-bestwallet
- trust-cryp
- trust-developer
- trust-extension-wallet
- trust-for-mozilla
- trust-wallet-mozilla-add
- wallet-for-bitcoin
- wallet-for-trusr-crypto-wallet
- wallet-for-trust
- wallet-metamask-crypto-wallet
If you want to be safe, you need to only install extensions from trusted and verified publishers. Always read recent reviews carefully, even if the extension has high ratings. You should also monitor installed extensions regularly, as they can auto-update and change behavior.
Koi Security, the team behind the discovery, warns that browser extensions should be treated like full software programs. They often run with high-level permissions and can cause serious damage if misused.
