A recent surge of malicious browser extensions targeting cryptocurrency users has been uncovered in the Firefox Add-ons Store, putting unsuspecting users at risk of devastating financial losses. Cybersecurity researchers have identified over 40 fake wallet extensions impersonating popular crypto wallets, including MetaMask, Coinbase Wallet, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero. This malicious campaign, dubbed “FoxyWallet,” has been active since at least April 2025 and continues to evolve despite intervention efforts.
How the Scam Works
The fake extensions mimic the look and functionality of legitimate crypto wallets, using official logos, names, and descriptions to deceive users. They often feature glowing five-star reviews, many of which are fabricated, to boost their credibility and lure in victims. Once installed, these malicious extensions monitor users’ inputs, specifically looking for seed phrases and private keys that grant access to cryptocurrency holdings.
When a user types or pastes sensitive information, the extensions capture it and silently transmit the data, along with external IP addresses, to attacker-controlled servers. This enables cybercriminals to drain victims’ wallets in a matter of minutes, transferring funds to accounts that are virtually impossible to trace or recover.
Who’s Behind the Attack?
Researchers analyzing the code and infrastructure of these extensions have traced indicators back to a Russian-speaking threat actor. Russian-language comments embedded in the malicious code and references to Russian documents found on the attackers’ servers strongly suggest the origin. While definitive attribution remains challenging, the consistency of these findings points toward an organized and skilled group of cybercriminals.
Mozilla’s Response
Mozilla, the developer of the Firefox browser, has taken swift action by removing many of the fake extensions from its store. In June 2025, Mozilla introduced an enhanced automated risk-profiling system designed to flag suspicious wallet extensions and escalate them for human review. However, given the dynamic nature of the threat, new malicious extensions continue to appear regularly, making this an ongoing battle.
A Mozilla spokesperson described the situation as “a constant cat-and-mouse game,” emphasizing the importance of vigilance both from browser developers and users themselves.
How to Protect Yourself
As the threat of fake crypto wallet extensions grows, users must take proactive steps to safeguard their assets:
- Download Only from Official Sources: Always install wallet extensions directly from the official websites of the wallet providers. Avoid relying on search engine results or third-party links.
- Verify Publisher Information: Check the publisher’s identity and ensure it matches the official wallet provider.
- Scrutinize Reviews and Install Counts: Be cautious of extensions with unusually high ratings but low install numbers or vice versa.
- Limit Extension Permissions: Pay attention to the permissions an extension requests. Legitimate wallets generally require minimal access.
- Regularly Update and Audit Extensions: Keep extensions up to date and remove any that you no longer use.
- Use Hardware Wallets: For storing large amounts of cryptocurrency, hardware wallets remain the most secure option.
The Bigger Picture
This wave of attacks highlights the broader risks associated with browser extensions, which often have deep access to sensitive data. For cryptocurrency users, the consequences of installing a malicious extension can be catastrophic, with stolen assets often impossible to recover.
While Mozilla and other browser developers continue to strengthen security measures, individual awareness and caution are the first line of defense. By adopting careful browsing habits and verifying every tool used to access crypto assets, users can significantly reduce the risk of falling victim to these increasingly sophisticated scams.
