Firefox Crypto Wallet Alert: Over 40 Malicious Extensions Found Stealing Seed Phrases & Funds
Experts at Koi Security have identified over 40 malicious extensions for the Mozilla Firefox browser, specifically crafted to steal data from cryptocurrency wallets. These add-ons pose a significant threat to the security of users’ digital assets.
The attackers disguised their malware-laden extensions as official tools of widely used crypto wallets. Among the impersonated services were prominent names such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. Visually, the extensions mirrored the legitimate ones—featuring identical branding and names.
The campaign to distribute these counterfeit extensions has reportedly been ongoing since at least April 2025, with new versions uploaded to Firefox’s official add-ons marketplace as recently as last week.
To fabricate a sense of credibility and popularity, the attackers artificially inflated reviews—injecting hundreds of fraudulent five-star ratings that far exceeded the actual number of installations. This strategy created a false impression of trustworthiness and demand within the user community.
Further legitimacy was lent to these malicious extensions through the use of open-source code from real wallet applications. This enabled the attackers to replicate authentic functionality while discreetly embedding harmful components. As a result, the extensions closely resembled and operated like their genuine counterparts, yet harbored covert mechanisms for siphoning sensitive information.
The malicious code allowed the interception of access keys and seed phrases entered by users on targeted websites. In addition, the extensions transmitted victims’ IP addresses to remote servers.
Unlike traditional scams that rely on fake websites or phishing emails, these extensions operate directly within the browser environment. This makes them particularly insidious, as they are far more difficult to detect using standard security tools.
Mozilla has removed all identified malicious extensions—with the exception of MyMonero Wallet, which remains available. The company also announced the recent implementation of an early detection system designed to identify and block fraudulent crypto wallet extensions before they gain traction and begin compromising user assets.
In a related development, the PT SWARM team at Positive Technologies recently reported the remediation of CVE-2025-6430, a vulnerability in the Firefox browser that allowed attackers to bypass the secure file download mechanism. The flaw stemmed from the improper interpretation of the “Content-Disposition” header, which dictates how files should be handled upon download.
To mitigate the risk of installing counterfeit extensions, experts strongly advise downloading only from verified developers and vigilantly monitoring extension behavior for any suspicious changes.
