Analysis Summary

Security Experts have uncovered over 40 malicious Mozilla Firefox extensions designed to steal data from cryptocurrency wallets. These extensions impersonated popular crypto wallet tools such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. The malicious add-ons mirrored the branding and names of legitimate extensions, making them appear authentic to unsuspecting users.

This malicious campaign has been active since at least April 2025, with new variants uploaded to Firefox’s official add-ons marketplace as recently as last week. To boost credibility, attackers injected hundreds of fake five-star reviews, creating a false perception of popularity and trustworthiness far beyond their actual installation numbers.

The attackers leveraged open-source code from real wallet applications to replicate genuine functionality while embedding covert malicious components. These extensions were capable of intercepting access keys and seed phrases entered by users on targeted websites, effectively stealing their cryptocurrency. Additionally, victims’ IP addresses were transmitted to remote attacker-controlled servers.

Unlike traditional phishing or fake websites, these browser-based extensions integrate directly into the user’s environment, making them particularly dangerous and harder to detect using standard security tools.

Mozilla has removed all identified malicious extensions except the MyMonero Wallet, which remains available. The company has also introduced an early detection system to identify and block fraudulent crypto wallet extensions before they can compromise users.

Separately, researchers have reported fixing CVE-2025-6430, a Firefox vulnerability allowing attackers to bypass secure file download mechanisms due to improper interpretation of the “Content-Disposition” header.

To mitigate risks, security experts advise users to download extensions only from verified developers, remain vigilant for suspicious behavior, and monitor wallet activities closely to safeguard their digital assets from theft.

Impact

• Unauthorized Access
• Financial Loss
• Data Theft

Indicators of Compromise

Remediation

• Remove any suspicious or unverified browser extensions immediately to eliminate potential threats
• Download extensions only from verified developers to reduce risk of installing malicious add-ons
• Regularly audit installed browser extensions for unusual behavior or permissions changes
• Monitor cryptocurrency wallet activity for unauthorized transactions to detect compromise early
• Enable browser security features and early detection systems to block malicious extensions
• Keep browsers updated to patch known vulnerabilities and improve extension security controls
• Educate users about risks of fake extensions to strengthen overall organizational security awareness
• Use endpoint protection solutions with browser extension monitoring capabilities for enhanced defense
• Report suspicious extensions to browser vendors to aid in quick removal and wider community protection