Security researchers have uncovered a campaign of over 40 malicious Firefox extensions designed to steal cryptocurrency wallet credentials. Named “FoxyWallet”, this scheme impersonates legitimate wallet tools like MetaMask, Coinbase Wallet, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox .
How it works
The attackers create fake extensions that look like trusted crypto wallets. They use the exact names and logos to fool users . Some extensions copy real open-source code and add malicious logic. This lets them work normally while secretly logging sensitive data .
When a victim uses a wallet site, the extension watches for long text strings—like seed phrases or private keys. If it spots them, it sends those to attacker‑controlled servers. It also sends the user’s external IP address, likely for tracking .
Some extensions had hundreds of fake 5‑star reviews. This offers false credibility during installation .
Scale and timeline
Koi Security researcher Yuval Ronen discovered the campaign began in April 2025. It remains active, with new malicious extensions appearing up to last week . Several remain available in Firefox Add‑ons even now.
Dark Reading reports the group used 45 fake extensions at one point. Heise confirmed more than 40 were discovered.
Who is behind it?
The campaign uses Russian‑language comments in code and metadata found on attacker servers . This hints at a Russian-speaking actor, though no confirmed attribution was made.
Why this matters
- Tricks trusted platforms. The fake extensions appear in Mozilla’s official store. Users expect these platforms to be safe .
- Hard to spot. They work like real wallet tools. So users may install them without suspicion.
- Data theft inside the browser. Traditional defences don’t catch browser extension threats easily.
- Broad reach. With over 40 extensions, millions may be affected.
Mozilla’s response
Mozilla removed most of the flagged extensions, except MyMonero Wallet, which is under review . Its Add-ons Operations Manager said fighting fake wallet extensions is a “constant cat and mouse game” .
Impact on users
Victims risk losing everything—crypto wallets could be emptied at any time. And even if an extension offers real functionality, it may leak your keys behind the scenes.
How to stay safe
Follow these steps:
- Install extensions only from verified, trusted publishers. Don’t rely only on ratings.
- Treat extensions like any software. Vet it before installing.
- Limit permissions. Avoid extensions asking for broad access unless needed.
- Monitor installed extensions. They may auto-update with hidden malware. Develop a whitelisting policy for teams.
- Use hardware wallets when possible. This keeps keys offline.
- Consider setting up continuous monitoring or scanning of extension behavior.
A broader trend
This incident is part of a wider wave of browser extension abuse:
- Earlier cases involved fake gaming extensions in Chrome and Firefox that redirected users to scam sites, hijacked sessions, or stole OAuth tokens .
- Other examples include “GimmeGimme” shopping hijackers, “VPN Grab A Proxy Free” spyware, and “CalSyncMaster” OAuth token stealers .
The techniques have evolved. What started with redirects now includes extracting private data or tokens .
Why it matters to businesses
Corporate users may add dangerous extensions unknowingly. These tools can leak credentials or sensitive data. Enterprises should enforce policies, audits, and allow‑lists for extensions .
Final thoughts
The discovery of 40+ FoxyWallet extensions shows how attackers now exploit browser extensions targeting crypto users. These extensions mimic trusted tools, work like them, but secretly steal data.
Browsers and extension stores are not safe by default. Users must be extra cautious. Treat every extension like software. Check source, permissions, and behaviors. Businesses should adopt governance and monitoring tools.
The window to detect malicious behavior is small—once your keys are taken, the damage is done. Stay alert. Keep control of what runs in your browser. That’s the key to real protection in today’s threat landscape.
