Cybersecurity firm Koi Security in a report brings to light a new cryptocurrency scam that has used over 40 fake Firefox extensions to steal cryptocurrency from users.
This is the latest in a wave of cyberattacks that have targeted the crypto community since early 2025.
How does the theft happen?
The fake browser add-ons reportedly copy popular crypto wallets like Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, MyMonero, and Bitget. Once installed, these malicious extensions steal users’ wallet login information and send it to hackers to facilitate the theft.
The impersonated add-ons mimic authentic extensions, using copied logos, names, and fake five-star reviews to deceive users.
In some cases, the attackers made it more complex by using real open-source code from official wallet extensions to add hidden malicious features.
“This low effort, high impact method allowed the attacker to keep the user experience the same while avoiding quick detection.”
Cybersecurity firm Koi Security
Who could be behind the hack?
Koi Security suspects the hackers may be Russian speaking, given the team found Russian language in some of the code and documents connected to the malware servers.
However, a concrete conclusion is yet to be drawn.
In other developments, yesterday, the U.S. Treasury Department sanctioned Aeza Group, a Russia-based bulletproof hosting (BPH) service for allegedly aiding cybercriminals to facilitate ransomware campaigns and information theft.
Meanwhile, Koi Security said the campaign has been active since at least April, and that new extensions were still being uploaded as recently as last week.
Further excerpts advise users to only download extensions from verified developers, keep a close watch on what extensions are installed, and treat all browser extensions like full software programs.