In a recent report by cybersecurity company Koi Security, it was revealed that an ongoing malware campaign has been deploying more than 40 fraudulent extensions on the widely-used web browser, Mozilla Firefox. These extensions, masquerading as legitimate wallet tools like MetaMask, Coinbase, Trust Wallet, Phantom, Exodus, OKX, MyMonero, Bitget, among others, aim to pilfer cryptocurrency credentials from unsuspecting users.
The malicious extensions, once installed, are programmed to steal user wallet credentials. “We have connected over 40 different extensions to this active and live campaign,” Koi Security stated.
The campaign, which has been running since at least April, uploaded the most recent extensions last week. These fraudulent extensions allegedly extract wallet credentials directly from the targeted sites and upload them to a remote server under the attacker’s control.
The report also highlighted how the campaign uses ratings, reviews, branding, and functionality to win user trust by posing as genuine and thus boost installation rates. Some applications even boasted hundreds of fake five-star reviews.
The deceptive extensions used the same names and logos as the real services they were mimicking. In several cases, the threat actors cloned the official extensions’ open-source code and integrated their malicious code. This deceptive strategy maintained the expected user experience while minimizing the chances of immediate detection.
While Koi Security stated that “attribution remains speculative,” they pointed to “multiple signals indicating a Russian-speaking threat actor.” These signals include Russian language comments in the code and metadata found in a PDF file sourced from a malware command-and-control server associated with the incident. “Although not definitive, these artifacts suggest that the campaign may be the work of a Russian-speaking threat actor group.”
To minimize risk, Koi Security advised users to only install browser extensions from verified publishers and to manage extensions as full software assets, using allowlists and monitoring for unexpected behavior or updates.
