Security company Koi has uncovered a disturbing trend in the world of crypto wallets – over 40 fake wallet extensions have been circulating on Firefox browser plug-in stores. These extensions are designed to trick users into thinking they are installing legitimate wallets from well-known platforms such as Coinbase, MetaMask, and OKX. However, once installed, these fake extensions can steal users’ login wallet information and gain access to their funds.
The campaign involving these fake wallet extensions is described as “active, persistent, and evolving” by Koi, with the latest activity detected as recently as last week. Some of these malicious extensions are still available for download on the browser marketplace, posing a significant threat to unsuspecting users.
So, how do these fake wallets manage to steal user credentials? The modus operandi involves extracting login information directly from targeted websites and transmitting it to a remote server controlled by hackers. In addition, the fake extensions can also obtain a user’s external IP address, potentially for more sinister purposes.
To make the fake wallets appear legitimate, hackers go to great lengths to mimic the appearance of popular wallet platforms, using identical names and logos to deceive users. They even resort to tactics like review inflation, where fake extensions receive hundreds of 5-star reviews to create the illusion of widespread adoption and positive feedback.
In some cases, hackers exploit the fact that original extensions are open source, allowing them to insert malicious code without raising suspicion. This approach enables them to maintain the expected user experience while evading detection.
To protect themselves from falling victim to these fake wallet attacks, users are advised to only install extensions from verified publishers and utilize an extension allow-list to restrict installations to pre-approved plugins. By remaining vigilant and scrutinizing the authenticity of browser extensions, users can minimize the risk of falling prey to such malicious schemes.
As the crypto landscape continues to evolve, hackers are finding increasingly creative ways to target users’ wallets, from fake job search sites to printer extensions. According to a NASAA survey, cryptocurrency and social media scams are identified as a top threat to retail investors in 2025, underscoring the importance of staying informed and cautious in the digital realm.