Firefox users hit by malicious wallet extension attacks

Source Cryptopolitan

Researchers from the Koi security company discovered an ongoing campaign spreading malicious wallet extensions on Firefox. The malicious apps spoof the most widely used wallets, stealing private phrases and leaving users vulnerable to being drained.

An ongoing campaign is spreading malicious extensions, spoofing some of the most common crypto wallets on Firefox. Koi security discovered some of the apps were removed, while others were still active, posing as legitimate wallets. 

The SlowMist attack team also warned users to be vigilant, as the attack is still active. The fake apps are spreading through the official Firefox app store, making them potentially more misleading and dangerous.

The attack is relatively simple, but targets the easiest type of user, who seek casual access to crypto. Using a compromised app, or inputting private phrases into one may lead to significant losses. Users are already reporting losses from the fake apps. 

Hacks and exploits accelerated in the first half of 2025, as crypto increased in value. Threats also came from DPRK hackers infiltrating projects, with hundreds potentially affected by malicious code. 

Firefox fake extensions target the most widely used wallets

Koi intercepted fake apps for some of the most widely used wallet extensions, including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. 

The researchers discovered over 40 apps posing as wallets, with new ones appearing. Some of the fake wallets are still active on unofficial links. According to researchers, the fake apps started spreading around April 2025. 

The extensions extract and send out wallet extensions, reaching a server controlled by the attacker. The apps also transmit the user’s IP address for tracking and further targeting. 

Attackers cloned the open-source code of legitimate wallets

The attack was relatively simple, often using the legitimate wallet code for open-source projects like MetaMask. The fake apps then injected the malicious code to allow the wallet to steal data and credentials. 

The fake wallet apps were active on app stores, using the same logos and style as the original wallet. Previously, faked wallets have targeted specific niche projects, but this time, the attacker spoofed multi-asset wallets, widely used for DeFi, trading, NFT and other on-chain tasks. 

Code analysis concluded the attack most likely originated from Russia, as Russian-language code comments were discovered in some of the apps. Metadata from a file on one of the command-and-control servers also points to a Russian attacker.

Koi advices users to install an allow list filter and avoid downloading apps without vetting. Some of the apps may not show problems, but later update and change their behavior. Security researchers also advice against searching apps directly, as the results may point to fake wallets with deliberately inflated five-star reviews. The best approach is to use the wallet’s official web page or social media. 

Users were also advised to be skeptical when seeing an app with too many five-star reviews, that were artificially placed to make the app seem established and legitimate. 

KEY Difference Wire: the secret tool crypto projects use to get guaranteed media coverage

Disclaimer: For information purposes only. Past performance is not indicative of future results.
placeholder
Gold price oscillates in a range below one-week top; bullish potential seems intactGold price (XAU/USD) struggles to capitalize on its gains registered over the past two days and oscillates in a narrow range during the Asian session on Wednesday, just below a one-week high touched the previous day.
Author  FXStreet
Yesterday 05: 59
Gold price (XAU/USD) struggles to capitalize on its gains registered over the past two days and oscillates in a narrow range during the Asian session on Wednesday, just below a one-week high touched the previous day.
placeholder
Solana (SOL) at Crossroads — Bounce Likely If $142 Remains IntactSOL price is now recovering and might aim for a fresh increase above the $150 zone.
Author  NewsBTC
Yesterday 10: 03
SOL price is now recovering and might aim for a fresh increase above the $150 zone.
placeholder
EUR/USD pulls back from highs as investors await further US employment dataThe EUR/USD pair posts moderate losses on Wednesday, trading near 1.1780 at the time of writing.
Author  FXStreet
Yesterday 09: 22
The EUR/USD pair posts moderate losses on Wednesday, trading near 1.1780 at the time of writing.
placeholder
Dogecoin Closes June In The Red With 14% Losses, Will July Be Any Better?With the close of June, the Dogecoin price has once again confirmed the bearish trend of the month.
Author  Bitcoinist
Yesterday 10: 02
With the close of June, the Dogecoin price has once again confirmed the bearish trend of the month.
placeholder
Nonfarm Payrolls set to show hiring environment in US labor market remained subdued in JuneThe all-important United States (US) Nonfarm Payrolls (NFP) data for June will be released by the Bureau of Labor Statistics (BLS) on Thursday at 12:30 GMT.
Author  FXStreet
8 hours ago
The all-important United States (US) Nonfarm Payrolls (NFP) data for June will be released by the Bureau of Labor Statistics (BLS) on Thursday at 12:30 GMT.
goTop
quote