While Mozilla Firefox users thought they were downloading legitimate cryptocurrency wallet extensions, cybercriminals were quietly orchestrating one of the largest extension-based theft campaigns in recent history. Over 40 fake cryptocurrency wallet extensions have infiltrated Mozilla’s Add-ons store since April 2025, impersonating trusted names like MetaMask, Coinbase, Trust Wallet, and Phantom.
These digital wolves in sheep’s clothing look convincingly real. They sport official logos, use identical names, and come packed with suspiciously perfect 5-star reviews. Don’t be fooled—these aren’t enthusiastic users but rather part of a calculated scheme to gain your trust and, ultimately, your crypto. Russian language comments found in the source code suggest the involvement of Russian-speaking threat actors.
Sophisticated forgeries designed to earn your confidence before emptying your digital wallet.
The attackers’ playbook is clever yet devastating: clone open-source wallet extensions, inject malicious code, then wait for unsuspecting users to hand over their seed phrases. Once installed, these extensions silently collect your wallet credentials and ship them straight to cybercriminals who can drain your accounts faster than you can say “blockchain.” The malicious extensions, part of a campaign dubbed “FoxyWallet,” specifically filter for realistic wallet keys or seed phrases.
What makes this attack particularly nasty? The transactions appear completely legitimate on the blockchain—irreversible and untraceable. Your money vanishes, with no hope of recovery. This is precisely why legitimate cryptocurrency platforms enforce KYC requirements to help prevent fraud and identify potential criminal activity.
Mozilla acknowledges the problem, describing it as a “constant cat and mouse game” with malware authors. They’ve removed hundreds of scam extensions and implemented early detection systems, but new malicious add-ons continue appearing weekly.
Protect yourself with these no-nonsense steps: Only install extensions directly from official wallet websites—never through browser stores. Check the publisher’s identity carefully. Those random 5-star reviews? Scroll past them and look for detailed, specific feedback instead. Better yet, use an allow list that restricts installation to pre-approved extensions only.
