Koi Security, a cybersecurity firm, has uncovered a large-scale malicious campaign targeting cryptocurrency users through fake Firefox extensions. The campaign involves more than 40 extensions that impersonate popular crypto wallet tools such as Coinbase, MetaMask, Trust Wallet, and others. These extensions silently steal wallet credentials and send them to attacker-controlled servers, putting user assets at immediate risk. The campaign has been active since at least April 2025 and is still ongoing, with new fraudulent uploads appearing on the Mozilla Add-ons store as recently as last week. The attackers make their extensions look trustworthy by copying ratings, reviews, and branding, and many of the phony extensions have hundreds of fake positive reviews. They have also cloned real open-source wallet extensions and embedded malicious logic to avoid detection. Koi Security’s investigation has revealed a coordinated operation focused on credential harvesting and user tracking within the crypto ecosystem. They urge Firefox users to review their installed extensions, uninstall suspicious tools, and change their wallet credentials. The firm is working with Mozilla to remove identified malicious extensions and monitor for further uploads linked to this campaign. The campaign’s code and metadata suggest that a Russian-speaking threat group may be behind it, with Russian-language notes hidden in the extension’s code and metadata from a PDF on a control server showing Russian text. This is not definitive proof, but it points to a possible Russian-language actor running the operation. This report comes after a similar crypto phishing scam was detected by SlowMist, which traced the malware’s activity to a server in the Netherlands but found Russian-language scripts in the attackers’ tools. The attackers drained wallets and converted the stolen funds into cryptocurrency, according to SEO standards.
Source:Read More