03.07.2025 17:46

A significant cybersecurity threat has emerged, targeting cryptocurrency users through deceptive Firefox browser extensions. Koi Security's recent report reveals a large-scale cyberattack campaign involving over 40 fraudulent extensions, all deceptively mimicking legitimate cryptocurrency wallets like MetaMask, Keplr, and Coinbase Wallet. These malicious add-ons, uploaded to the Mozilla Add-ons Store, employ identical logos, names, and even cloned code from genuine wallets, skillfully masking their harmful payload.

Hidden within seemingly benign files lies spyware designed to exfiltrate sensitive user data. This includes the theft of crucial wallet credentials—seed phrases and private keys—along with the capture of users' IP addresses. The compromised information is then transmitted to servers under the attackers' control. Adding to the deception, the malicious actors employed a sophisticated tactic: generating numerous fake five-star reviews, utilizing both AI-generated and copied reviews from legitimate extensions to bolster their fraudulent extensions’ credibility.

The effectiveness of such attacks underscores the critical need for enhanced security measures within the Firefox extension ecosystem. Until more robust detection and code review processes are implemented, fraudsters will likely continue to exploit unsuspecting users. SlowMist, a leading cybersecurity firm, has issued a timely warning, urging users to exercise caution. They emphasize the importance of verifying the publisher's identity, rather than solely relying on ratings or branding. The firm stresses a crucial point: treat these extensions as sophisticated software, applying rigorous vetting procedures before installation. This heightened vigilance is essential to safeguard against these increasingly sophisticated attacks, which threaten significant financial losses for cryptocurrency users. Information regarding this incident was obtained from internet sources.