In a recent cybersecurity discovery, Koi Security has shed light on a large-scale malicious campaign involving more than 40 fake Firefox extensions designed to steal crypto wallet credentials from unsuspecting users. These extensions impersonate legitimate wallet tools from well-known platforms such as Coinbase, MetaMask, Trust Wallet, and others.
The campaign, which has been active since at least April 2025, continues to upload new malicious extensions to the Firefox Add-ons store, with the latest ones appearing just last week. These extensions work by extracting wallet credentials directly from targeted websites and transmitting them to remote servers controlled by attackers.
One notable platform affected by this campaign is OKX, which issued a warning to its users in January about fake OKX Wallet Firefox extensions. The exchange urged users to transfer their wallet assets immediately if they had installed any malicious plugins and filed complaints with Firefox officials to have the fraudulent extensions removed.
The attackers behind this campaign have employed sophisticated trust-building tactics to increase installation rates and evade detection. Many of the extensions feature hundreds of fake 5-star reviews, creating the illusion of widespread adoption and positive feedback. Additionally, they meticulously mimic the branding of legitimate wallet tools, using identical names and logos to deceive users.
By cloning authentic codebases and inserting malicious logic, the attackers have managed to maintain expected user experiences while secretly exfiltrating sensitive wallet data in the background. This approach reduces development time and increases the chances of evading detection by security tools.
The malicious Firefox extension campaign is just one facet of a larger ecosystem of cryptocurrency theft methods that target both software and hardware security measures. Recent incidents include a Chinese crypto investor losing nearly $7 million after purchasing a fake cold wallet through TikTok’s Chinese platform, Douyin. The hardware trap compromised the wallet’s private key generation, providing attackers with complete access to funds.
In addition to software and hardware attacks, physical phishing tactics have also been on the rise. Scammers have been sending fake letters impersonating Ledger via USPS, urging users to “validate” their wallets through QR codes that lead to phishing sites designed to steal private keys.
These incidents underscore the growing threat posed by sophisticated attackers to the crypto industry. In the first half of 2025 alone, crypto investors lost over $2.2 billion to hacks, scams, and security breaches. Ethereum remained the most targeted blockchain, with over $1.6 billion in losses from security events.
As the crypto industry faces escalating threats, it is crucial for users to exercise caution and remain vigilant against malicious actors. By staying informed and adopting robust security practices, individuals can better protect their assets and safeguard against potential attacks.