Fake Firefox Add-Ons Are Stealing Crypto Wallet Data
A new malware campaign is targeting Firefox users with fake browser extensions that look like legitimate crypto wallets—and they’re shockingly convincing. According to researchers at Koi Security, over 40 malicious add-ons have been found impersonating well-known wallets like MetaMask, Coinbase Wallet, and Phantom. The goal? Stealing seed phrases and private keys before victims even realize what’s happening.
The scheme, dubbed “FoxyWallet,” works by sneaking malicious code into what appears to be a normal extension. Once installed, the add-on quietly sifts through user inputs, hunting for strings longer than 30 characters—basically, anything that resembles a wallet recovery phrase. When it finds one, it sends the data straight to the attackers’ servers. Oh, and it also grabs the victim’s IP address, which could open the door for even more trouble down the line.
How the Scam Works
The attackers didn’t start from scratch. Koi Security says they cloned the open-source code of real wallet extensions, then slipped in their own malicious logic. The result? Extensions that work just fine—until they don’t.
There’s some evidence pointing to a Russian-speaking group behind this. Bits of Russian-language comments were found in the code, and a PDF on the attackers’ server had metadata suggesting the same. It’s not definitive proof, but it’s a strong lead.
What’s worse, this campaign isn’t new. It’s been running since at least April, with new fake extensions still being uploaded as recently as last week. Even after Koi Security reported their findings to Mozilla, some of the malicious add-ons were still available on Firefox’s official store yesterday.
Mozilla’s Response
Mozilla acknowledged the issue in a statement Thursday, saying they’re aware of “attempts to exploit Firefox’s add-ons ecosystem.” They claim to have improved their detection tools and removed many of the flagged extensions before Koi’s report went public. A few are still under review.
Andreas Wagner, Mozilla’s Add-ons Operations Manager, called it a “cat and mouse game.” Over the past few years, they’ve taken down hundreds of fake crypto wallets, but the scammers keep finding ways around their defenses.
How to Stay Safe
If you’re using Firefox—or any browser, really—here’s the best way to avoid these traps:
– **Stick to verified publishers.** If an extension claims to be from MetaMask or Coinbase, double-check the developer’s name.
– **Treat extensions like full software.** They can do a lot of damage if they’re malicious, so don’t install them casually.
– **Use an allow list.** Only let approved extensions run in your browser.
– **Monitor regularly.** Don’t just scan once and forget about it.
Mozilla says they’re working on it, but for now, it’s up to users to stay cautious. We’ve reached out to them for more details and will update if we hear back.
In the meantime, maybe give your extensions a second look. Some of them might not be what they seem.
