What are the Firefox extensions that steal cryptocurrency wallets and how can I avoid them?

In July 2025, over 40 malicious Firefox extensions were discovered targeting popular crypto wallet users such as MetaMask, Trust Wallet, and Coinbase. These fake add-ons mimicked real wallet tools, using the same names, logos, and fake 5-star reviews to trick users. Once installed, they silently stole wallet keys, seed phrases, and IP addresses—putting user funds at risk. Mozilla has removed most of these extensions and activated an early detection system, but users must still stay cautious when installing browser add-ons. Only use verified publishers, avoid suspicious reviews, and use hardware wallets for added safety.

  Security News & Threat Intelligence   Jul 4, 2025   13  Add to Reading List

Table of Contents

What Happened?

In July 2025, cybersecurity experts revealed that more than 40 malicious extensions were found on the Mozilla Firefox Add-ons Store. These fake browser add-ons were designed to steal cryptocurrency wallet details, putting thousands of users at risk of losing their digital assets.

These dangerous extensions pretended to be legitimate tools from well-known crypto platforms like:

  • Coinbase

  • MetaMask

  • Trust Wallet

  • Phantom

  • Exodus

  • OKX

  • Keplr

  • MyMonero

  • Bitget

  • Leap

  • Ethereum Wallet

  • Filfox

How Do These Malicious Extensions Work?

Fake Look, Real Danger

These extensions look and feel just like the real ones. They use the same logos, names, and designs as the original crypto wallet add-ons. They even added hundreds of fake 5-star reviews to appear trustworthy.

Stealing Wallet Keys and IP Addresses

Once installed, these malicious tools steal your wallet seed phrases and private keys—the sensitive info needed to access your crypto. They also send your IP address to an attacker-controlled server.

This is very dangerous because:

  • The attacker can take full control of your wallet.

  • You may not realize anything is wrong until it’s too late.

  • These attacks happen within your browser, not through emails or websites.

Who Is Behind This Attack?

Experts at Koi Security believe that the threat actors may be Russian-speaking, based on:

  • Russian language comments found in the code.

  • Metadata in files from the attacker’s server.

The campaign has been running since April 2025 and continued uploading new extensions even recently.

Mozilla’s Response

Mozilla has already removed almost all the fake extensions except one (MyMonero Wallet). The company also announced that they are using an “early detection system” to automatically block scam crypto wallet add-ons before they spread widely.

Why Is This Different from Regular Phishing?

Unlike typical phishing scams that use fake websites or scam emails, these extensions:

  • Live inside your browser.

  • Appear trustworthy.

  • Don’t disrupt user experience.

  • Are harder to detect by antivirus or endpoint tools.

This makes them low-effort but high-impact for attackers.

What Can You Do to Stay Safe?

Tips to Protect Your Crypto Wallets

✅ Only download browser extensions from verified publishers.
✅ Double-check the number of users vs. reviews—fake ones usually don’t match.
✅ Avoid installing wallet extensions unless absolutely necessary.
✅ Monitor permissions—don’t allow sensitive data access.
✅ Use hardware wallets for large crypto holdings.
✅ Use browsers with built-in anti-extension scanning like Firefox’s early detection system.
✅ Keep your browser and antivirus tools updated.

Real-World Impact

This incident highlights how simple mistakes like installing a fake extension can lead to major financial losses. With the popularity of cryptocurrencies growing, attackers are using smarter and sneakier methods to trick users and steal digital assets.

If you're a crypto user or trader, be extra cautious about browser extensions—what looks helpful could be hiding a dangerous trap.

Conclusion

This large-scale attack reminds us how important it is to:

  • Stay alert online.

  • Question anything that looks too good or too polished.

  • Regularly monitor crypto wallets and use multi-factor authentication whenever possible.

Security is not just the job of experts—it’s everyone’s responsibility.

FAQ

What are malicious Firefox extensions?

Malicious Firefox extensions are browser add-ons that appear legitimate but are designed to steal user information like wallet keys or browsing data.

How do fake extensions steal cryptocurrency?

They mimic real wallet tools and secretly extract sensitive data such as seed phrases and private keys from within the browser.

Which crypto wallets were targeted?

Popular wallets like MetaMask, Coinbase, Trust Wallet, Phantom, Exodus, and others were impersonated.

How many malicious extensions were found?

Cybersecurity researchers discovered over 40 such malicious Firefox extensions.

Who discovered these malicious extensions?

The attack campaign was uncovered by Yuval Ronen, a researcher at Koi Security.

Are these fake extensions still active?

Most have been removed by Mozilla, but some, like MyMonero Wallet, were still active at the time of discovery.

How did the attackers trick users?

They used the same names, logos, and added fake 5-star reviews to make the extensions look trustworthy.

What information do these extensions steal?

They steal seed phrases, private keys, and also transmit your IP address to attacker-controlled servers.

Is this type of attack the same as phishing?

No, it’s more dangerous because the attack happens inside your browser—not through fake emails or websites.

Why are these attacks hard to detect?

They maintain normal functionality and blend in with real extensions, avoiding traditional security detection.

What is a seed phrase in cryptocurrency?

A seed phrase is a set of words that lets users access their crypto wallets. If stolen, anyone can control the wallet.

Can antivirus software stop these extensions?

Not always. Because the extensions run inside your browser, they may bypass regular antivirus protection.

How do I know if an extension is fake?

Check the publisher, number of installs vs reviews, and read user feedback carefully before installing.

Did Mozilla respond to the threat?

Yes, Mozilla removed most of the extensions and deployed an early detection system for future threats.

What is Mozilla’s early detection system?

It’s a tool to scan for and block scam extensions before they become popular and widely installed.

Is my wallet safe if I never installed these extensions?

Yes, but it’s still wise to review your installed extensions regularly and keep your browser updated.

How can I protect my cryptocurrency assets?

Use verified extensions only, keep your browser updated, use hardware wallets, and enable two-factor authentication.

Are other browsers affected?

This specific campaign targeted Firefox, but similar tactics could apply to other browsers too.

Can I recover stolen crypto from these attacks?

Unfortunately, once stolen, crypto is often unrecoverable due to the nature of blockchain transactions.

What signs should I look for if I suspect an extension is fake?

Unusual behavior, missing publisher info, unexpected pop-ups, and mismatched user stats can be red flags.

Was this attack linked to any specific country?

Evidence suggests that the threat actors were likely Russian-speaking based on code and server metadata.

Are open-source extensions more vulnerable?

Yes, attackers can copy open-source code, inject malicious functions, and reupload them as fake tools.

Should I delete my wallet if I installed a fake extension?

Yes, and immediately transfer your funds to a new wallet using a secure setup.

Are Firefox users more at risk?

Firefox users were targeted in this case, but all browser users should remain cautious about extensions.

How long has the attack campaign been active?

The campaign has been active since at least April 2025.

Can browser extensions access private keys?

Yes, if given permission or disguised properly, malicious extensions can extract private key data.

Why did attackers use fake reviews?

Fake reviews increase the add-on’s credibility and trick users into installing them.

What is IP address theft and why does it matter?

IP address theft can help attackers track location or use the info for further attacks or profiling.

Should I report suspicious extensions?

Yes, report them to the browser’s extension store or support team to help protect others.

What steps should developers take to prevent cloning?

Developers should monitor for clones, obfuscate sensitive parts of their code, and register trademarks.

Join Our Upcoming Class!

Tags