In a concerning discovery, over forty counterfeit extensions mimicking popular wallet applications like Coinbase, MetaMask, and Trust Wallet remain active on Mozilla’s Firefox extension store. According to Koi Security’s report dated July 2, 2025, these fake extensions jeopardize user assets by clandestinely collecting cryptocurrency wallet credentials. Researchers confirmed the persistence of this deceptive campaign since at least April, with new extensions added to the store as recently as last week. Hundreds of fake five-star reviews deceptively boost the extensions’ credibility.
Counterfeit Extensions Attack Firefox Store
The fake extensions mimic the official logos and descriptions of leading cryptocurrency wallet services like MetaMask, presenting an air of legitimacy. By using popular keywords in store search results, they rapidly climb the download charts. Once installed, although the browser interface appears genuine, embedded scripts capture private keys and recovery phrases, sending them to malicious servers.
Koi Security noted that the malicious code is hidden within closed-source JavaScript modules, evading automated scans. By abusing Firefox’s permission management, the extensions demand extensive web-tracking rights and can capture user passwords entered in new tabs. Unwitting victims install what they believe is a single wallet extension, but actually become targets for multiple scripts.
Russian Clues Unmask Attackers
The report highlights discoveries of Russian comments in PDF files and source code notes hosted on the command-and-control servers linked to the malicious extensions. Although security researchers imply these clues suggest a Russian-speaking threat actor, they acknowledge the lack of definitive proof. However, geographic timestamps, file paths, and error messages reinforcing the same language bolster the findings.
Most importantly, since the initial attack in April, more than 60 versions have been uploaded, with the latest malicious deployment occurring just a week ago. These extensions continuously update and, when detection signatures emerge, change names to reappear under the radar. Koi Security advises that some copies remain unchecked in the Firefox store and urges users to upgrade extensions only through links redirected from official sites.
