Scammers Create Fake Firefox Extensions Impersonating Top Wallets

Reading Time: 2 minutes
Scammers have created over 40 fake Firefox extensions mimicking top wallets
The extensions are part of an ongoing large-scale phishing operation
The extensions impersonate Trust Wallet, Bitget, MetaMask, and Coinbase, among others

Malicious actors have created more than 40 fake Firefox extensions of popular crypto wallets like MetaMask, Trust Wallet, Coinbase, and Bitget. The extensions are part of an ongoing large-scale phishing operation meant to drain the wallets of unsuspecting victims. Cybersecurity researchers noted that the fake browser add-ons resemble the original extension but with “added malicious logic,” making it hard for victims to differentiate them and easy for scammers to steal funds. 

Phishing Campaign “Very Much Active”

The fake Firefox add-ons were discovered by cybersecurity firm Koi Security, which said the phishing campaign is “still ongoing and very much alive.” Koi Security disclosed that the fake extensions “silently exfiltrate wallet secrets, putting users’ assets at immediate risk.”

The cybersecurity firm noted that the phishing campaign started at least in April this year, with more counterfeit extensions added to the Firefox Add-ons store “as recent as last week.”  The add-ons steal wallet details and the victim’s IP address to an attacker-controlled server.

Koi Security noted that the malicious actors lure victims by pumping the phony extensions with fake 5-star ratings and positive reviews that exceed “their actual user base.”

It also observed that the add-ons mimic the branding of the actual wallets, including logos, names, and fonts. The likeness boosts the chances of “accidental installations  by unsuspecting users.”

“Multiple Signals” Point to Russia

According to Koi Security, the Firefox add-ons and phishing campaign are likely run by a Ruaasin group due to the presence of “multiple signals pointing to a Russian-speaking threat actor.” The signals include Russian-language comments in the extension’s code. 

The cybersecurity firm has advised crypto users to install add-ons only from verified publishers and to be cautious of high-rated extensions. It has also asked users to create an allowlist, treat browser extensions as full software assets, and implement continuous monitoring.

The fake Firefox extensions are part of other tactics like fake GitHub repositories, counterfeit phones, and physical mail that threat actors use to steal crypto.

With the fake Firefox add-ons discovered, Firefox will likely remove them from its extension store.

The post Scammers Create Fake Firefox Extensions Impersonating Top Wallets appeared first on FullyCrypto.

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: Bitcoin - @ July 6, 2025 8:23 am