While most users browse the web without a second thought about browser extensions, cybercriminals have been quietly exploiting this trust with an alarming campaign targeting cryptocurrency holders.
Researchers have uncovered over 40 malicious Firefox extensions designed to steal crypto assets, with the campaign active since April 2025. These digital wolves in sheep’s clothing have been lurking right in plain sight—on the official Firefox Add-ons store.
The extensions masquerade as popular cryptocurrency wallets including MetaMask, Coinbase Wallet, Trust Wallet, and Phantom. Like a thief wearing the security guard’s uniform, these imposters don authentic logos and carefully mimic the interfaces of legitimate services. Even more concerning, the attackers bolstered their deception by flooding their listings with hundreds of fake five-star reviews, creating an illusion of trustworthiness that would make any snake oil salesman proud.
Wolves in digital clothing, these wallet imposters use stolen branding and fake reviews to breach the fortress of your crypto assets.
The technical sleight-of-hand employed is both clever and concerning.
When users install these malicious extensions, they inject JavaScript event listeners that monitor for sensitive data entry.
Anytime someone types more than 30 characters—the typical length of a seed phrase or private key—the extension springs its trap, capturing and exfiltrating the data to attacker-controlled servers. The malicious extensions also capture and transmit victims’ external IP addresses to the command-and-control servers. These extensions also suppress any visual error indicators by manipulating the dialog opacity settings to zero.
It’s like having someone secretly photograph your house keys the moment you take them out of your pocket.
This Russian-speaking cybercriminal group’s scheme particularly targets Firefox users, exploiting what researchers note is comparatively lower scrutiny on Mozilla’s marketplace. Remaining vigilant against scams is critical to protecting your digital assets from these sophisticated theft campaigns. Once cryptocurrency is stolen using the captured credentials, victims have virtually no recourse for recovery.
Mozilla has responded by deploying new automated risk analysis tools to flag suspicious wallet extensions for priority human review. They’ve already blocked the identified malicious extensions, but the damage for many users is likely already done.
For crypto holders, this campaign serves as a stark reminder: in the digital world, even the most innocent-looking tools can harbor malicious intent. The convenience of browser-based wallets comes with risks that require constant vigilance.
