Cybersecurity researchers have found more than 40 malicious browser for Mozilla Firefox, which are designed to steal cryptocurrency wallet, at risk of digital assets of users.
“These extensions represent themselves legal tools for wallet from widely used platforms such as Coinbase, Metamask, Trust Wallet, Phantom, Courtus, Okx, Keplr, Mymonero, Bitget, Leap, Ethereum Calt and Filfox – Note.
A large -scale company is said to have been going on at least April 2025, with the new extension uploaded to the Firefox supplement store recently last week.
It was found that the expansion of artificially inflated their popularity was revealed by adding hundreds of 5-star reviews that go far beyond the total number of active attitudes. This strategy is used to give them the illusion of authenticity, and it seems that they are widely accepted and reinforced anything susceptible users before installing them.
Another tactic accepted by the actor threats to enhance confidence, provides for the transfer of these additions as legal wallet tools using the same names and logos.
The fact that some actual extensions were open source allowed the attackers to clone their source code and introduce their own malicious functionality to extract wallet keys and seed phrases from the target sites and select them on a remote server. It was also revealed that the extension of the robbers convey the external IPs of the victims.
Unlike typical phishing scammers who rely on fake sites or emails, these extensions work in the user’s browser – creating them much more difficult to detect or block the traditional final points.
“This low impact approach allowed the actor to maintain the expected user experience while reducing the chances of immediate detection,” Ronneh said.
The presence of Russian language comments in the source code, as well as metadata derived from the PDF file obtained from the command and control server (C2) used for action indicating the Russian -speaking actors threat.
All revealed additions, except mymonero wallet, have since been lifted by Mozilla. Last month’s browser manufacturer – Note He developed an “early detection system” to detect and block the extensions of the crysting -snap before gaining popularity among users and used to steal users’ assets by deceiving them in their credentials.
To mitigate the risk provided by such threats, it is recommended to install the extensions only from proven publishers and vet to make sure that they do not silently change their behavior after installation.
