Crypto Theft Campaign Hits Firefox Users with Wallet Clones

More than 40 fake extensions for the popular web browser Mozilla Firefox have been linked to an ongoing malware campaign to steal cryptocurrencies, according to a report published Wednesday by cybersecurity firm Koi Security.
The large-scale phishing operation reportedly deploys extensions impersonating wallet tools such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, MyMonero, Bitget and others. Once installed, the malicious extensions are designed to steal users’ wallet credentials.
“So far, we were able to link over 40 different extensions to this campaign, which is still ongoing and very much alive,” the company said.
Koi Security said the campaign has been active since at least April, and the most recent extensions were uploaded last week. The extensions reportedly extract wallet credentials directly from targeted websites and upload them to a remote server controlled by the attacker.
Related: How a simple browser extension prevented an $80K transfer to a malicious wallet
Malware exploits trust through design
Per the report, the campaign leverages ratings, reviews, branding and functionality to gain user trust by appearing legitimate. One of the applications had hundreds of fake five-star reviews.
The fake extensions also featured identical names and logos to the real services they impersonated. In multiple instances, the threat actors also leveraged the official extensions’ open-source code by cloning their applications but with added malicious code:
“This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection.”
Related: Microsoft warns of new remote access trojan targeting crypto wallets
Russian-speaking threat actor suspected
Koi Security said “attribution remains tentative,” but suggested “multiple signals point to a Russian-speaking threat actor.” Those signals include Russian-language comments in the code and metadata found in a PDF file retrieved from a malware command-and-control server involved in the incident:
“While not conclusive, these artifacts suggest that the campaign may originate from a Russian-speaking threat actor group.“
To mitigate risk, Koi Security urged users to install browser extensions only from verified publishers. The firm also recommended treating extensions as full software assets, using allowlists and monitoring for unexpected behavior or updates.
Magazine: North Korea crypto hackers tap ChatGPT, Malaysia road money siphoned: Asia Express
Bitcoin (BTC) $ 118,804.00
Ethereum (ETH) $ 4,239.70
XRP (XRP) $ 3.14
Tether (USDT) $ 0.999950
BNB (BNB) $ 807.26
Solana (SOL) $ 175.04
USDC (USDC) $ 0.999775
Lido Staked Ether (STETH) $ 4,230.42
Dogecoin (DOGE) $ 0.223561
TRON (TRX) $ 0.345835
Cardano (ADA) $ 0.776200
Wrapped stETH (WSTETH) $ 5,122.23
Wrapped Bitcoin (WBTC) $ 118,501.00
Hyperliquid (HYPE) $ 43.33
Chainlink (LINK) $ 21.10
Stellar (XLM) $ 0.434322
Wrapped Beacon ETH (WBETH) $ 4,562.86
Sui (SUI) $ 3.68
Wrapped eETH (WEETH) $ 4,540.23
Bitcoin Cash (BCH) $ 580.03
Hedera (HBAR) $ 0.248020
Ethena USDe (USDE) $ 1.00
WETH (WETH) $ 4,234.69
Avalanche (AVAX) $ 22.88
Litecoin (LTC) $ 120.24
Toncoin (TON) $ 3.39
LEO Token (LEO) $ 8.97
USDS (USDS) $ 0.999384
Shiba Inu (SHIB) $ 0.000013
Binance Bridged USDT (BNB Smart Chain) (BSC-USD) $ 0.999018
Uniswap (UNI) $ 11.11
WhiteBIT Coin (WBT) $ 44.97
Coinbase Wrapped BTC (CBBTC) $ 118,821.00
Polkadot (DOT) $ 3.87
Cronos (CRO) $ 0.167763
Ethena (ENA) $ 0.805732
Ethena Staked USDe (SUSDE) $ 1.19
Bitget Token (BGB) $ 4.41
Monero (XMR) $ 266.38
Pepe (PEPE) $ 0.000011
Aave (AAVE) $ 294.85
Dai (DAI) $ 0.999998
Bittensor (TAO) $ 361.96
Ethereum Classic (ETC) $ 22.28
Mantle (MNT) $ 0.949754
NEAR Protocol (NEAR) $ 2.60
Ondo (ONDO) $ 0.987153
Pi Network (PI) $ 0.396757
Aptos (APT) $ 4.55
Internet Computer (ICP) $ 5.38
OKB (OKB) $ 46.12
Jito Staked SOL (JITOSOL) $ 214.32
Binance-Peg WETH (WETH) $ 4,231.41
BlackRock USD Institutional Digital Liquidity Fund (BUIDL) $ 1.00
Kaspa (KAS) $ 0.089745
Pudgy Penguins (PENGU) $ 0.036732
Arbitrum (ARB) $ 0.438638
Algorand (ALGO) $ 0.254421
USD1 (USD1) $ 0.999194
POL (ex-MATIC) (POL) $ 0.237802
VeChain (VET) $ 0.024736
Cosmos Hub (ATOM) $ 4.49
Rocket Pool ETH (RETH) $ 4,814.12
Gate (GT) $ 16.55
Fasttoken (FTN) $ 4.57
Render (RENDER) $ 3.75
Bonk (BONK) $ 0.000025
sUSDS (SUSDS) $ 1.06
Kelp DAO Restaked ETH (RSETH) $ 4,447.46
Worldcoin (WLD) $ 0.992056
Story (IP) $ 6.13
Binance Staked SOL (BNSOL) $ 187.23
Artificial Superintelligence Alliance (FET) $ 0.689218
Jupiter Perpetuals Liquidity Provider Token (JLP) $ 5.10
Sky (SKY) $ 0.083661
Sei (SEI) $ 0.306083
Official Trump (TRUMP) $ 8.83
Filecoin (FIL) $ 2.48
SPX6900 (SPX) $ 1.76
Lombard Staked BTC (LBTC) $ 118,775.00
StakeWise Staked ETH (OSETH) $ 4,456.03
Flare (FLR) $ 0.022223
Liquid Staked ETH (LSETH) $ 4,605.06
Jupiter (JUP) $ 0.496890
Mantle Staked Ether (METH) $ 4,505.15
KuCoin (KCS) $ 11.75
USDtb (USDTB) $ 0.999695
XDC Network (XDC) $ 0.086911
Lido DAO (LDO) $ 1.52
USDT0 (USDT0) $ 1.00
NEXO (NEXO) $ 1.35
Injective (INJ) $ 13.73
Provenance Blockchain (HASH) $ 0.027609
Optimism (OP) $ 0.752870
First Digital USD (FDUSD) $ 0.998733
Renzo Restaked ETH (EZETH) $ 4,465.84
Stacks (STX) $ 0.719829
Curve DAO (CRV) $ 0.924551
Celestia (TIA) $ 1.72
Falcon USD (USDF) $ 0.999759