Crypto users are being lured into installing fake wallet extensions on Firefox, as hackers step up attacks using copycat apps that closely mimic the real thing.
At least 40 fraudulent extensions impersonating major wallet brands—including MetaMask, Coinbase Wallet, Trust Wallet, Phantom, and Exodus—have been identified, with some still available for download in the official Firefox Add-ons store.
The malicious campaign, active since around April 2025, was exposed by cybersecurity firm Koi Security, which flagged the growing number of clones stealing users' seed phrases and transmitting data to attacker-controlled servers.
The operation shows no signs of slowing, despite removal efforts, as new fake apps continue to appear.
Attackers used the open-source code from legitimate wallet projects, injecting their own malicious logic into extensions that still behaved like genuine apps.
By copying the logos, branding, and even wallet functions, the extensions appeared authentic—making them far harder for users to spot as fraudulent.
Koi Security’s analysis confirmed that once installed, these fake extensions immediately extracted wallet credentials and user IP addresses, which were then sent to attacker servers.
In some cases, the extensions remained undetected for extended periods due to their close resemblance to official tools.
Source: Koi Security
Adding to the deception, many of these malicious apps were padded with hundreds of fake five-star reviews, giving the appearance of popularity and trustworthiness.
According to Koi, this strategy helped the fraudulent extensions pass under Mozilla’s automated detection systems, which rely on signals like low ratings and spam flags.
Mozilla has not issued a formal statement on the situation.
However, a blog post from its extension team noted:
“If a wallet extension reaches a certain risk threshold, human reviewers are alerted to take a deeper look. If found to be malicious, the scam extensions are blocked immediately.”
Despite these internal mechanisms, fake apps remain a persistent problem.
OKX, whose brand was spoofed in one of the fake extensions, had already warned users back in January that it had never published a Firefox wallet.
The company urged users to withdraw funds if they had installed any suspicious plugins and filed formal complaints to Mozilla.
Fake Firefox extensions posing as crypto wallets (Source: GitHub)
Koi’s investigation traced the origin of the attack to a Russian-speaking threat group.
Evidence includes code comments written in Russian and metadata from one of the command-and-control servers.
The attackers’ infrastructure remains active, with some clones still being distributed via unofficial websites, despite being pulled from official stores.
Other firms, including SlowMist, have also issued alerts, warning users that the attack remains live.
The firm stressed that “many users have already reported losses,” particularly those who had searched for wallet tools without verifying sources.
The campaign comes during a surge in crypto-related breaches.
CertiK’s latest report shows total crypto losses exceeded $2.47 billion in the first half of 2025 alone.
Wallet-specific attacks made up a staggering $1.7 billion across 34 incidents, while phishing scams caused another $410 million in damage.
Ethereum continues to be the top target, suffering $1.6 billion in losses across 175 incidents.
The year’s largest single theft occurred in February when Bybit lost over $1.5 billion in liquid-staked ETH and MegaETH due to a smart contract exploit.
Beyond browser-based attacks, fraudsters are also targeting hardware wallets.
In China, a victim lost $7 million after buying a fake cold wallet through Douyin (TikTok’s mainland version), which was preloaded with known private keys.
Meanwhile, macOS users have been hit by malware-laced Ledger Live clones spreading through thousands of compromised websites.
Some attackers have even resorted to physical mail scams, sending fake letters impersonating Ledger via postal services to trick users into scanning malicious QR codes.
As crypto adoption spreads, so do the risks.
The latest Firefox wallet scam is not just a wake-up call—it’s a signal that attackers are moving faster than most security frameworks can respond.
The use of cloned open-source tools, paired with fake social proof and seamless design, shows how easy it is for attackers to weaponise trust.
Unless app stores and crypto platforms overhaul how extensions are verified, these types of breaches will remain an ongoing threat—one update away from draining everything.
Ravi Menon, Managing Director of the Monetary Authority of Singapore, envisions a future with three main components: central bank digital currencies, tokenised bank liabilities, and "well-regulated" stablecoins.
BrianThe FSC will purportedly provide policy support, encouraging periodic capability evaluations for companies to enhance their anti-money laundering measures.
BrianOKX's entry into Brazil brings cutting-edge services and Web3 innovation, shaping the future of crypto trading in the region.
Hui XinLaunched since 2022, Wind.app has facilitated a annualised gross transaction volume (GTV) exceeding $3 million.
BrianVitalik Buterin warns of an existential threat from uncontrolled AI evolution, advocating for intervention and suggesting brain-computer interfaces as a solution.
Hui XinSingapore's central bank head forecasts the decline of private cryptocurrencies for their unreliability. He envisions a future with regulated coins and central bank digital currencies, echoed by Rao, from India's Reserve Bank. The FSB flags risks from complex crypto firms, emphasising the need for robust regulations. The shift towards regulated digital currencies is clear, yet strong oversight remains crucial.
JoyTitan Contents, founded by ex-SM Entertainment CEO Nikki Semin Han, is set to revolutionise the global K-pop scene. Bridging East-West talent and leveraging Web3, metaverse, and AI, the company aims to redefine traditional K-pop models. With an expert team, Titan Contents is poised to shape the genre's future, aiming for international success in the dynamic K-pop landscape.
JoyMeta disclosed further details regarding its stance on political ads, now demanding advertisers to disclose when they employ artificial intelligence to manipulate images or videos in certain political adverts.
JoyWhen searching for the renowned singer "Israel Kamakawiwoʻole" on Google, what surfaces isn't an iconic album cover or a live performance image but an AI-generated depiction. It's an intriguing, albeit fake, portrayal of the artist, redirecting users to the Midjourney subreddit upon click.
JoyCristiano Ronaldo is facing a potential class-action lawsuit following allegations that his endorsement of Binance, a leading cryptocurrency exchange, led to significant investor losses. Filed in a Florida District Court on Nov. 27, 2023, by plaintiffs Michael Sizemore, Mikey Vongdara, and Gordon Lewis, the lawsuit claims Ronaldo's association with Binance resulted in financial losses for investors.
Joy