A new cyberattack campaign has been uncovered, targeting users of browser-based cryptocurrency wallets through seemingly legitimate Firefox add-ons. More than 40 malicious extensions—many of which remained live in the official Mozilla Firefox Add-on Store—have been found to impersonate popular wallets such as MetaMask, Coinbase Wallet, and Trust Wallet. Once installed, these extensions silently exfiltrate seed phrases, private keys, and session data, compromising user access to crypto holdings.

As NUME.ch reports, citing findings by cybersecurity firm Koi Security and coverage by heise online, the extensions mimic the UI and branding of legitimate wallet tools. They feature identical icons, descriptions, and even redirect users to official wallet websites in their metadata fields. Thousands of users may already be affected.

A Shift in Browser-Level Threats

The extensions operate by injecting malicious code into wallet-related websites. Using JavaScript-based DOM manipulation, they monitor and extract input data—such as passwords and recovery phrases—in real time. The data is transmitted to attacker-controlled servers, often using encrypted traffic through TOR or reverse proxies. The extensions also log users' IP addresses, likely for geo-targeting or profiling.

Each extension is crafted to appear legitimate. Some even leverage open-source code from real wallets, modifying only small portions to include surveillance and exfiltration functions. This hybrid of functional imitation and data theft has proven effective at bypassing user suspicion and store-level screening.

Affected Wallets and Ecosystems

The attack campaign does not target a single ecosystem. Instead, it spans Ethereum, Solana, Cosmos, and other blockchain platforms. The following wallets have been reported as being spoofed:

  • MetaMask
  • Coinbase Wallet
  • Trust Wallet
  • Exodus
  • Phantom
  • Keplr
  • Leap
  • MyMonero
  • Filfox
  • Bitget
  • OKX

The add-ons are listed under names such as “MetaMask Secure”, “Wallet Pro 2025”, or “Official Crypto Tools”—variants that are intentionally close to official products.

Indicators of Russian-Origin Attackers

Koi Security’s investigation suggests that the threat actors may be linked to Russian-speaking groups. Multiple source code comments in the extensions contain Cyrillic characters and Russian-language technical terms. Configuration files from at least one command-and-control server also included metadata fields written in Russian. While there is no direct attribution to state-backed entities, the campaign shows a high degree of coordination and infrastructure use reminiscent of prior Eastern European cyber operations.

Structural Failure in Add-on Stores

Despite being hosted on Mozilla’s official Add-on Store, these extensions evaded automated reviews for weeks. Current store policies allow publishers to upload updates with minimal vetting. Malicious actors used this window to introduce data-theft logic into previously benign extensions or submit new ones under fake developer identities.

This incident reflects a broader vulnerability in browser ecosystems. While Chrome and Edge have faced similar attacks in the past, the scale and variety of wallet spoofing seen here is unprecedented.

What Users and Organizations Should Do Now

For users

  • Review installed Firefox add-ons immediately
  • Uninstall any unknown or non-essential wallet-related extensions
  • Only install wallet tools via official links from wallet developers
  • Never store recovery phrases or keys inside browsers
  • Use hardware wallets for high-value assets

For organizations

  • Implement allowlists for approved extensions
  • Monitor browser extension behavior on employee devices
  • Treat browser extensions as software with risk potential
  • Include browser-layer security in incident response protocols

Bottom Line

This campaign demonstrates a critical and ongoing security failure: browser stores remain a weak point in the software trust chain. Until stronger verification mechanisms are adopted, both users and enterprise teams must act independently to minimize exposure. The FoxyWallet operation may just be one of several active campaigns currently running under the surface of trusted platforms. The attack is ongoing, and the next malicious extension may already be live.

Stay connected for news that works — timely, factual, and free from opinion — and insights that matter now: chwoot: he sudo flaw that turns local Linux users into root – in seconds