Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Firefox Hacks. Show all posts

Fake Firefox Extensions Mimic Crypto Wallets to Steal Seed Phrases

 

Over 40 deceptive browser extensions available on Mozilla Firefox’s official add-ons platform are posing as trusted cryptocurrency wallets to steal user data, according to security researchers. These malicious add-ons are camouflaged as popular wallet brands such as MetaMask, Coinbase, Trust Wallet, Phantom, Exodus, MyMonero, OKX, and Keplr. 

Behind their familiar logos and fake five-star reviews lies code designed to exfiltrate wallet credentials and seed phrases to servers controlled by attackers. Cybersecurity firm Koi Security, which discovered this threat campaign, suspects a Russian-speaking hacking group is responsible. In a report shared with BleepingComputer, the firm revealed that the fraudulent extensions were modified versions of legitimate open-source wallets, altered to include stealthy monitoring code. 

These extensions monitor browser input for strings that resemble wallet keys or recovery phrases — often identified by their length and character patterns. Once such sensitive input is detected, the information is covertly sent to attackers. To avoid suspicion, the extensions suppress error messages or alerts by rendering them invisible. The most critical data targeted are seed phrases — multi-word recovery codes that serve as master keys for crypto wallets. Anyone with access to a seed phrase can irreversibly drain all assets from a user’s wallet. 

The campaign has reportedly been active since at least April 2025, and new malicious add-ons continue to appear. Some were added as recently as last week. Despite Mozilla’s efforts to flag and remove such add-ons, Koi Security noted that many remained live even after being reported through official channels. The fake extensions often feature hundreds of fraudulent five-star reviews to build trust, although some also have one-star ratings from victims warning of theft. 

In many cases, the number of reviews far exceeds the number of downloads — a red flag missed by unsuspecting users. Mozilla responded by confirming that it is aware of ongoing threats targeting its add-ons ecosystem and has already removed many malicious listings. The organization has implemented a detection system that uses automated tools to flag suspicious behavior, followed by manual review when necessary.

In a statement to BleepingComputer, Mozilla emphasized its commitment to user safety and stated that additional measures are being taken to improve its defense mechanisms. As fake wallet extensions continue to circulate, users are urged to verify the authenticity of browser add-ons, rely on official websites for downloads, and avoid entering recovery phrases into any untrusted source.

Almost Half of Tor sites compromised by FBI [Exclusive details]

As many of you might know the US has been pushing for the extradition of Eric Eoin Marques who an FBI agent has called as "the largest facilitator of child porn on the planet."

But most of you might not know that he is also the owner of "freedom hosting" the largest hosting provider for .onion sites within the TOR network . This means that all the sites hosted by "freedom hosting" are at the hands of the FBI. As you can see from the above linked article freedom hosting has been accused of hosting child pornography for a very long time.

I also have a fair idea on how the FBI did the "impossible", tracing a person who is using Tor.And they further might have found details on all the people visiting sites hosted by freedom hosting. First have a look at what a person posted on pastebin on Aug 3rd http://pastebin.com/pmGEj9bV he says he found this code in the main page of "freedom host" this further links to this exploit http://pastebin.mozilla.org/2776374 .





This is my analysis of the exploit ( I have not looked into it deeply as I am busy with my exams)
1. It is a 0 day for the Firefox version that comes as default with the "TOR Browser Bundle"
2. The code says "version >=17 && version <18" checks if the browser is the right version that the exploit works on .

It also has an another check
var i = navigator.userAgent.indexOf("Windows NT");
        if (i != -1)
                return true;
        return false;




3.It also manages to gather the Real IP of the user and possibly execute a malicious payload that might give the attacker full access to the system.
4. This exploits works because the people at TOR project had made it such that Javascript is loaded by the built in browser by default (this was not the case before and people who had their "no script" plugin with proper setting "disallowed" are safe)
5.Please note that is NOT a zero day for the TOR network but rather an exploit for the Firefox version that most TOR users are running.

Tor's official reply: https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting


Though the action's done by the FBI to take down child pornography in the TOR network is appreciated by all of us, many of the legitimate sites hosted by freedom hosting are also down .They should make sure that what they do does not kill the freedom and anonymity that the TOR network stands for.


Edit 1: Here are a few other deeper analysis I found --> http://pastebin.mozilla.org/2777139 , http://tsyrklevich.net/tbb_payload.txt

PS: If you have anything more that you would like to be added to this article or any corrections you can contact me on Twitter https://twitter.com/SuriyaMe 

Firefox Russian Website hacked and defaced by T34M PakleetS

www.firefox.ru website is hacked and defaced by T34M Pakleets.
This is what hacker said:
HackeD by T34M PakleetS

Everyday Someone Get Hacked Today is your Day

FirefoX ? O_o

Impossible only means it has not been done... Now watch what I can do

" Jus a Security Reminder"

KhantastiC HaXor - InnOcent HaCker

Th3 Vip3R - ReXor haXor

T34M PAKleetS
Defacement Screenshot: