Over 40 Malicious Firefox Extensions Identified by Security Researchers

Cybersecurity experts have identified over 40 malicious Mozilla Firefox add-ons designed to steal cryptocurrency wallet information, posing a significant risk to users' funds. Researcher Yuval Ronen from Koi Security revealed that these add-ons masquerade as legitimate wallet tools from well-known platforms like Coinbase, MetaMask, and Trust Wallet. This operation has been active since at least April 2025, with new add-ons recently appearing in the Firefox store.

The fake add-ons are bolstered by numerous fraudulent 5-star reviews, enhancing their perceived credibility and enticing users to install them. Attackers exploit the same names and logos as genuine wallet tools to further deceive users. By copying code from legitimate open-source add-ons and embedding malicious features, these add-ons can steal wallet keys and passwords, transmitting this data along with users' IP addresses to a remote server.

Unlike typical scams involving fake websites, these add-ons operate within the user's browser, making detection and prevention more challenging. The presence of Russian language in the code and server files suggests a Russian-speaking group is behind the attacks.

Mozilla has removed all the fake add-ons except for MyMonero Wallet and has implemented a system to detect and block fraudulent crypto wallet add-ons proactively. To protect themselves, users should only install add-ons from trusted sources and regularly verify their integrity. Additionally, staying informed about defenses against deepfakes, fake websites, and scams is crucial. The industry is leveraging AI, privacy measures, and simplified logins to build user trust and maintain security in 2025.

Stay secure — stay Wavasec. 🔐