In a disturbing cybersecurity development, researchers at Koi Security have uncovered more than 40 malicious Firefox browser extensions impersonating popular cryptocurrency wallets. These extensions, found on Mozilla’s official add-ons store, are designed to steal sensitive wallet credentials and recovery phrases from unsuspecting users.
The deceptive add-ons pose as legitimate wallets from major crypto service providers including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero.
By cloning the open-source versions of these tools and embedding malicious code, the attackers aim to harvest users’ seed phrases—sensitive keys that grant full access to cryptocurrency funds.
According to Koi Security’s report shared with BleepingComputer, the malicious extensions include event listeners that monitor users' activity in the browser. These scripts specifically look for text inputs longer than 30 characters—a common trait of seed phrases—and quietly send the captured data to attacker-controlled servers. Error messages that could potentially alert users are cleverly hidden using CSS tricks that make the alerts invisible.
The theft of a seed phrase enables full access to a user's crypto wallet and is often irreversible, with the fraudulent transaction appearing legitimate on the blockchain.
The campaign has reportedly been active since at least April, and new extensions continue to surface on the Firefox store, with the latest additions detected just last week. Many of the fraudulent extensions use authentic logos of trusted brands and are bolstered by fake five-star reviews to enhance credibility.
However, some also display one-star warnings from users who likely fell victim to the scam.
Mozilla has acknowledged the issue, confirming it is part of a broader trend targeting the Firefox add-ons ecosystem. The company says it has deployed an early detection system that flags risky extensions based on automated risk indicators, triggering manual reviews for further action.
In a statement to BleepingComputer, a Mozilla spokesperson said, “We are aware of attempts to exploit Firefox’s add-ons ecosystem using malicious crypto-stealing extensions. Through improved tooling and process, we have taken steps to identify and take down such add-ons quickly.”
Mozilla noted that many of the add-ons highlighted by Koi Security had already been removed before the publication of the report. However, the company continues to review remaining flagged extensions and has reaffirmed its commitment to user safety.
Despite Mozilla's efforts, Koi Security says several of the fake extensions remain live on the platform. The cybersecurity firm used Mozilla’s official reporting tools to alert the company but stresses that more action is needed.
