A major security warning has surfaced for cryptocurrency users after researchers uncovered over 40 malicious extensions on the Mozilla Firefox Add-ons Store. These extensions were not harmless tools, they were dangerous fakes created to steal users’ crypto wallet information, including secret keys and seed phrases. Many of these fake add-ons managed to stay on the store for months, exposing thousands of users to theft without their knowledge.
The campaign was discovered by cybersecurity teams at Koi Security and SlowMist. According to their investigation, attackers had copied open-source wallet extensions like MetaMask, Coinbase Wallet, Trust Wallet, Phantom, Exodus, and several others. They modified these clones by inserting hidden code that would silently capture private wallet data once the extension was used. The stolen information, including seed phrases and IP addresses, was then sent to hacker-controlled servers.
To make these malicious extensions appear legitimate, the attackers used fake 5-star reviews to boost visibility and gain trust. In many cases, the number of positive reviews didn’t even match the number of actual installs, clearly showing that the feedback was fake. Despite this suspicious activity, many of these extensions remained live in the Firefox store long enough to potentially cause serious damage.
The threat posed by these extensions is far greater than a typical phishing scam. Unlike fake websites or scam emails, this attack operates entirely inside the browser. Once installed, the extension looks and behaves like the real wallet app, giving no reason for users to suspect foul play. But in the background, it’s constantly monitoring activity, waiting for the user to enter sensitive information. Once it detects a seed phrase or private key, the data is captured and instantly transmitted to the hackers.
Some clues in the code, such as Russian-language comments and domain registration information, suggest that the attackers may be Russian-speaking. This isn’t yet confirmed, but it points to a well-organized operation with a clear goal, stealing as much cryptocurrency as possible from unsuspecting users.
What makes this situation even more alarming is how long these extensions were active. Reports show that some of them were uploaded as early as April 2025, and new versions continued to appear as recently as July. Even after warnings were issued, some of the extensions remained online, raising questions about how quickly browser stores like Firefox’s can respond to such threats.
Mozilla has since taken action by removing most of the malicious extensions and working on better systems to detect fake add-ons. However, experts believe that this type of attack may happen again, especially as more users rely on browser-based wallets to manage their crypto assets. The attackers clearly knew what they were doing and designed the extensions to avoid detection for as long as possible.
If a user installed one of these malicious extensions and entered their wallet credentials, their assets are likely already at risk or gone. Unlike a stolen password or credit card number, crypto wallet seed phrases can’t be changed or reset. Once someone has your seed phrase, they have full and permanent access to your funds.
This attack is a powerful reminder that crypto users need to be extremely cautious, even when installing tools from official browser stores. Just because an extension is listed on a well-known platform doesn’t mean it’s safe. Reviews can be faked, names can be copied, and interfaces can be cloned. The best way to stay safe is by downloading extensions only from official sources and double-checking everything before trusting it with your wallet data.
In the end, this wasn’t just a random scam, it was a carefully planned and widespread campaign aimed at stealing digital assets. As always in crypto, once the money is gone, there’s no getting it back. Staying one step ahead is the only option.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
