Cybersecurity company Koi has uncovered a widespread malware campaign involving more than 40 fraudulent crypto wallet extensions on the Firefox browser’s plug-in store. These malicious extensions mimic popular wallet services to deceive users and steal sensitive information.
According to a recent blog post by Koi, the fake extensions are designed to closely imitate major digital wallet platforms such as Coinbase, MetaMask, OKX, Bitget, and Ethereum Wallet. Once installed, the malware can access users’ wallets by harvesting their login credentials.
“We’ve identified over 40 different extensions tied to this campaign, which remains active and ongoing,” Koi reported.
The security firm also noted that several of these harmful extensions are still available for download, warning that the operation is “active, persistent, and evolving.” The most recent activity linked to the campaign was detected just last week.
How do fake wallets steal user credentials?
Koi Security has revealed that the fake wallet extensions found on Firefox not only mimic legitimate platforms but also actively extract user credentials and send them to hacker-controlled remote servers. This tactic allows attackers to compromise users’ digital wallets and even determine their external IP addresses—potentially enabling them to track or target additional devices.
These malicious extensions are nearly indistinguishable from the real ones on browser plug-in marketplaces. They use identical names, logos, and branding from trusted platforms like MetaMask and Coinbase, giving users little reason to question their authenticity.
To enhance their credibility, the attackers employ a tactic known as review inflation. Many of the fake extensions boast hundreds of fake 5-star reviews, far surpassing the number of actual users. This makes the extension appear popular and trustworthy, tricking users into downloading it.
In some instances, Koi discovered that attackers exploited the open-source nature of genuine wallet extensions. They cloned the original codebases and injected malicious scripts while keeping the overall functionality intact. “This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection,” Koi explained.
However, there are telltale signs users can watch for. These include Russian-language comments within the code and suspicious metadata hidden in PDFs retrieved from the attackers’ command servers.
To stay protected, users are advised to only install extensions from verified publishers and use an extension allow-list to limit installations to trusted, vetted plug-ins.
Koi also warned that cybercriminals are expanding their strategies to compromise crypto wallets, using everything from fake job search websites to counterfeit printer extensions. According to a 2025 survey by NASAA, cryptocurrency and social media scams remain among the top threats facing retail investors.
