Firefox users hit by malicious wallet extension attacks

Researchers from the Koi security company discovered an ongoing campaign spreading malicious wallet extensions on Firefox. The malicious apps spoof the most widely used wallets, stealing private phrases and leaving users vulnerable to being drained.

An ongoing campaign is spreading malicious extensions, spoofing some of the most common crypto wallets on Firefox. Koi security discovered some of the apps were removed, while others were still active, posing as legitimate wallets. 

The SlowMist attack team also warned users to be vigilant, as the attack is still active. The fake apps are spreading through the official Firefox app store, making them potentially more misleading and dangerous.

🚨SlowMist TI Alert🚨

A massive malicious campaign involving dozens of fake #Firefox extensions designed to steal cryptocurrency wallet credentials is underway. Over 40 fake extensions impersonating trusted #wallets like MetaMask, Coinbase Wallet, Trust Wallet, Phantom, OKX,… pic.twitter.com/IIfE5ifxJi

— SlowMist (@SlowMist_Team) July 3, 2025

The attack is relatively simple, but targets the easiest type of user, who seek casual access to crypto. Using a compromised app, or inputting private phrases into one may lead to significant losses. Users are already reporting losses from the fake apps. 

Hacks and exploits accelerated in the first half of 2025, as crypto increased in value. Threats also came from DPRK hackers infiltrating projects, with hundreds potentially affected by malicious code. 

Firefox fake extensions target the most widely used wallets

Koi intercepted fake apps for some of the most widely used wallet extensions, including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. 

The researchers discovered over 40 apps posing as wallets, with new ones appearing. Some of the fake wallets are still active on unofficial links. According to researchers, the fake apps started spreading around April 2025. 

The extensions extract and send out wallet extensions, reaching a server controlled by the attacker. The apps also transmit the user’s IP address for tracking and further targeting. 

Attackers cloned the open-source code of legitimate wallets

The attack was relatively simple, often using the legitimate wallet code for open-source projects like MetaMask. The fake apps then injected the malicious code to allow the wallet to steal data and credentials. 

The fake wallet apps were active on app stores, using the same logos and style as the original wallet. Previously, faked wallets have targeted specific niche projects, but this time, the attacker spoofed multi-asset wallets, widely used for DeFi, trading, NFT and other on-chain tasks. 

Code analysis concluded the attack most likely originated from Russia, as Russian-language code comments were discovered in some of the apps. Metadata from a file on one of the command-and-control servers also points to a Russian attacker.

Koi advices users to install an allow list filter and avoid downloading apps without vetting. Some of the apps may not show problems, but later update and change their behavior. Security researchers also advice against searching apps directly, as the results may point to fake wallets with deliberately inflated five-star reviews. The best approach is to use the wallet’s official web page or social media. 

Users were also advised to be skeptical when seeing an app with too many five-star reviews, that were artificially placed to make the app seem established and legitimate. 

KEY Difference Wire: the secret tool crypto projects use to get guaranteed media coverage