More than 40 fake extensions in Firefox’s official add-ons store are impersonating popular cryptocurrency wallets from trusted providers to steal wallet credentials and sensitive data. Some of the extensions pretend to be wallets from Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero, and include malicious code that sends stolen information to attacker-controlled servers. Although most of the user reviews are obviously fake (they surpass the installation figure by far), many users not paying attention to the details could still be tricked into installing them and risk their seed phrases being stolen. Koi Security told BleepingComputer that they reported the findings to the Firefox store using the official reporting tool, but the fake extensions continue to be avaialble at the time of writing. In a report shared with BleepingComputer, the researchers say that many of these browser add-ons are clones of open-source versions of legitimate wallets with added malicious logic. To build trust, the threat actor uses the real logos of the brands they impersonate and many of the extensions had hundreds of fake five-star reviews. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The code checks for input strings that are longer than 30 characters to filter for realistic wallet keys/seed phrases, and exfiltrates the data to the attackers. Seed phrases (recovery/mnemonic phrase) are master keys typically comprising multiple words, allowing users to recover or port wallets to new devices.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 02 Jul 2025 13:20:19 +0000