Cybersecurity firm Koi has issued a warning after uncovering over 40 fake crypto wallet extensions listed in Mozilla’s official Firefox browser add-on store.
These malicious extensions mimic legitimate crypto wallets such as MetaMask, Coinbase Wallet, Rabby Wallet, and others, with the goal of stealing users’ sensitive information.
The fake crypto wallet specifically targets mnemonic phrases (also known as seed phrases), which are used to access and recover wallets.
Fake Wallet Extensions Imitate Official Versions to Steal User Credentials
The fake plug-ins were designed to closely resemble the official versions, deceiving users into entering their credentials.
Once the mnemonic is entered, attackers gain full access to the victim’s crypto holdings. Koi noted that the extensions were well-disguised and targeted users of widely used Ethereum-compatible wallets.
The discovery raises serious concerns about browser extension security and the potential for phishing and theft within the crypto ecosystem.
At present, Mozilla has since removed the malicious extensions. The incident highlights the importance of verifying the authenticity of wallet tools and browser add-ons, even from official stores.
Users are urged to download extensions only from verified sources, cross-check developer credentials, and never input their seed phrases into unfamiliar browser pop-ups.
The incident serves as a stark reminder of the evolving threats in the digital asset space and the need for constant vigilance.
Koi: Fake Wallet Extension Campaign Active Since April, Still Ongoing
Koi revealed that the malicious campaign involving fake crypto wallet extensions has been active since at least April 2025.
Interestingly, new uploads are appearing as recently as last week.
The timeline suggests the operation is not only ongoing but also persistent and evolving. Attackers continue to update and re-upload deceptive extensions to the Firefox Add-ons store, targeting popular wallets like MetaMask and Coinbase Wallet.
The fact that new variants are still emerging points to an organized effort aimed at stealing seed phrases from unsuspecting users.
Koi’s findings underscore the need for urgent action by browser platforms to tighten extension vetting processes and for users to exercise extreme caution when installing wallet-related tools—even from official sources.
Also Read: Cointelegraph Front-End Hacked, Warns Users After Fake Airdrop Scam
Malicious Firefox Extensions Steal Wallet Credentials and Transmit Data to Attacker Servers
The malicious Firefox extensions were designed to extract wallet credentials directly from popular crypto wallet websites and send them to a remote server controlled by the attackers.
Upon activation, these extensions also transmitted users’ external IP addresses, likely to enable further tracking or more targeted attacks.
To appear trustworthy, the attackers exploited common marketplace trust signals—such as logos, functionality, and user interface similarity—to mimic legitimate tools.
A key tactic was review inflation: many fake extensions had hundreds of fake 5-star reviews, far exceeding the actual number of users.
This manipulation helped boost visibility and credibility, tricking users into downloading them. The campaign reveals how attackers weaponize trust features to distribute malware through official browser stores.
Also Read: CoinMarketCap Frontend Gets Compromised, Hacker Displays ‘Fake Wallet Verification Alert’