📌 Major Warning: Malicious Firefox Extensions Stealing Wallet Data
A widespread campaign involving dozens of fake Firefox extensions is currently targeting cryptocurrency users globally. These extensions impersonate popular wallet tools—such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Ethereum Wallet, and Filfox—with one clear goal: silently steal wallet credentials the moment users visit their legitimate sites.
🛠️ How the Attack Works
- Credential theft: Malicious extensions extract wallet seed phrases and login details directly from wallet websites.
- Exfiltration: Data, including your external IP address, is sent to an attacker-controlled server—likely to track and target victims.
- Stealthy updates: These extensions are designed to mimic genuine behavior, while transparently installing harmful code.
- Trust tactics: Fake 5-star reviews, proper branding, and cloned open-source code make detection difficult.
The campaign, identified by security researchers, has been active since April 2025 and shows no signs of stopping, with new malicious extensions appearing in the Firefox Add-ons store as recently as last week.
🕵️ Attribution & Technical Insights
Analysts suspect a Russian-speaking threat actor behind the campaign based on:
- Russian comments found in the extension code,
- Metadata in a PDF from the attacker’s command-and-control server.
While full attribution remains uncertain, these clues suggest serious groundwork and ongoing operation.
✅ Recommendations to Stay Secure
To protect yourself and your assets:
- Install only verified extensions from official publishers.
- Treat extensions like full software—vet and monitor them continuously.
- Maintain an allow-list of trusted add-ons only.
- Regularly audit installed extensions for suspicious changes or updates.
- Access wallet platforms directly—type URLs manually rather than clicking unknown links.
🧠 Why This Matters
As browser extensions gain deeper privileges, they become powerful tools for attackers. Hijacked wallets can lead to irreversible asset loss. Furthermore, criminals are capitalizing on AI-era hallucinations—where users may trust auto-generated links or extension suggestions.
🧩 List of Potentially Compromised Extensions
Here’s a high-level view of some of the fake extensions identified:
- bitget-by-addon
- bitget-by-addons
- bitget-extension
- btc-wallet
- coinbasewallet
- developer-trust
- eth-for-edition
- eth-wallet
- ethereum-wallet
- ethereum-wallet-crypto
- fil-project
- filfox
- filfox-wallet
- is-a-block-explorer
- keplr-wallet
- leap-wallet
- metamask-addons
- metamask-crypto-official
- metamask-for-firefox
- metamask-for-wallet
- metamask-the-extension
- metamaskext
- mew-wallet-ethereum-defi-web3
- mymonero-wallet
- official-metamask
- official-metamask-wallet
- okx-add
- okx-addons
- okx-wallet-extension
- okx-wallet-extension1
- phantom-ext-off
- phantom-wallet-extension
- trust-app
- trust-application
- trust-bestwallet
- trust-cryp
- trust-developer
- trust-extension-wallet
- trust-for-mozilla
- trust-wallet-mozilla-add
- wallet-for-bitcoin
- wallet-for-trusr-crypto-wallet
- wallet-for-trust
- wallet-metamask-crypto-wallet
⚠️ If you’ve installed any wallet extension recently, check its authenticity and permissions immediately.
Domains linked to the phishing infrastructure include:
exodlinkbase.digitalavalancheproject.digitalallextdev.worldsuirokboys.digital
🔍 Final Word
Crypto-savvy users must stay wary—credible wallets are not always what they seem. Malicious Firefox extensions with cloned branding and fake reviews are being used to harvest credentials and drain wallets silently.
Protect your assets: only use verified, well-known wallet add-ons, run regular security checks, and avoid blindly trusting search-recommended extensions. With vigilance and safe browsing habits, you can defend against these sneaky attacks before it’s too late.
