More than 40 fake browser extensions for Mozilla Firefox have been tied to an active cryptocurrency theft campaign, according to a report released Wednesday by cybersecurity firm Koi Security.
The widespread phishing operation involves malicious extensions that mimic popular crypto wallet tools like Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, MyMonero, Bitget, and others. Once installed, these fake extensions are designed to steal users’ wallet credentials.
“We’ve identified over 40 extensions connected to this campaign, which remains active and ongoing,” Koi Security stated.
According to the firm, the operation has been running since at least April, with new malicious extensions uploaded as recently as last week. These extensions reportedly harvest wallet credentials directly from compromised websites and send the data to a remote server controlled by the attackers.
Malware leverages deceptive design to gain trust
According to the report, the campaign exploits user trust by mimicking legitimacy through fake ratings, reviews, branding, and functional design. Some of the malicious extensions even displayed hundreds of bogus five-star reviews to appear credible.
These fake extensions used the exact names and logos of the genuine wallet services they impersonated. In several cases, attackers cloned the official open-source code of legitimate extensions, modifying it to include malicious components while maintaining the original functionality.
“This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection.”
Russian-speaking threat actor believed to be behind the campaign
Koi Security noted that while “attribution remains tentative,” several indicators suggest a Russian-speaking threat actor may be responsible. These clues include Russian-language comments embedded in the code, as well as metadata from a PDF file recovered from a command-and-control server linked to the malware campaign.
“While not conclusive, these artifacts suggest that the campaign may originate from a Russian-speaking threat actor group.“
To reduce risk, Koi Security advised users to install browser extensions only from trusted and verified publishers. The firm also emphasized that extensions should be treated like full software applications—recommending the use of allowlists and regular monitoring for unusual behavior or unauthorized updates.
