While crypto enthusiasts were busy watching their portfolios tank in 2025, cybercriminals had other plans. A massive campaign targeting Firefox users released over 40 fake crypto wallet extensions, impersonating trusted names like MetaMask, Coinbase, and Trust Wallet.
These weren’t your average low-effort scams – the attackers went all out, cloning open-source wallets and adding their own nasty surprises. The fake extensions looked legitimate enough to fool even seasoned users. Perfect logos, familiar interfaces, and hundreds of suspiciously glowing reviews. Two-factor authentication is strongly recommended to help protect against these credential theft attempts.
Sophisticated fraudsters crafted flawless wallet clones, complete with polished interfaces and fake reviews to deceive even crypto veterans.
But beneath the shiny surface lurked code designed to silently steal crypto credentials and beam them straight to Russian-speaking hackers. Once installed, these malicious add-ons would quietly extract wallet keys and seed phrases, putting users’ assets at immediate risk. Koi Security researchers discovered and documented this ongoing campaign, highlighting its sophisticated nature. Unlike self-custody wallets, these fake extensions gave criminals complete control over users’ digital assets.
Mozilla’s security measures proved about as effective as a paper umbrella in a hurricane. Many of these fake extensions remained active on the official Firefox Add-ons store for weeks or months, even after being reported. The attackers kept adapting their tactics, staying one step ahead of automated detection systems.
They’d clone legitimate open-source wallet code, inject their credential-stealing modifications, and upload new versions faster than they could be taken down. The scope of the campaign was staggering. From MetaMask to Phantom, OKX to Exodus – no major wallet brand was safe from impersonation.
The attackers even went the extra mile, collecting victims’ IP addresses for tracking purposes. This wasn’t some fly-by-night operation but a persistent, well-orchestrated assault on the crypto community.
What makes this particularly troubling is how the attackers exploited the open-source nature of many legitimate wallet extensions. By building on familiar user experiences and maintaining normal functionality, they created trojans that were nearly impossible to distinguish from the real thing.
Users searching for trusted tools instead found themselves installing the very thing they were trying to avoid – proof that in crypto, nothing is quite what it seems.
