03.07.2025 08:01

A significant cybersecurity threat targeting Firefox users has been uncovered, involving a widespread campaign distributing malicious wallet extensions. Security researchers at Koi, along with the SlowMist attack team, have issued warnings about this ongoing attack, highlighting the urgent need for user vigilance. These malicious extensions, masquerading as legitimate cryptocurrency wallets, are designed to steal private keys and drain user funds.

The fraudulent extensions cleverly mimic popular wallets like MetaMask, Coinbase Wallet, Trust Wallet, and many others, making them difficult to distinguish from genuine applications. Their presence within the official Firefox app store adds a layer of deception, increasing the risk of unsuspecting users downloading and installing them. Koi's investigation revealed that while some malicious extensions have been removed, others remain active, continuing to pose a significant threat.

This attack exploits the simplicity of accessing cryptocurrencies, particularly targeting casual users who may be less aware of security best practices. Entering private keys into these counterfeit apps directly exposes users to substantial financial losses, with reports of victims already experiencing such losses. The ease of the attack underscores the importance of caution and verification when dealing with cryptocurrency wallets.

The surge in cryptocurrency value during the first half of 2025 appears to have fueled a corresponding increase in hacking attempts and exploits. This malicious extension campaign is only one example of the heightened threat landscape, with other attacks, including those attributed to North Korean hackers infiltrating various projects, causing widespread damage and affecting potentially hundreds of individuals.

The scale of the malicious extension campaign is substantial, with researchers identifying over forty fraudulent applications impersonating widely used wallets. These include, but are not limited to, Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. The campaign began around April 2025, with new malicious extensions continuing to appear, some even circulating through unofficial channels. The extensions' primary function is the extraction and transmission of sensitive wallet data, enabling attackers to gain control of user funds. Information sourced from internet resources confirms the ongoing severity of this threat.