A new study by Koi Security has uncovered the “FoxyWallet” malware campaign, which exploits malicious Firefox add-ons to impersonate legitimate crypto wallets and steal users’ funds. Over 40 fraudulent extensions have been identified, mimicking popular wallets such as Coinbase Wallet, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero. This sophisticated campaign functions by embedding malicious code within cloned versions of official, open-source wallet extensions, allowing them to behave as expected while secretly exfiltrating sensitive data. The malware specifically targets wallet secrets and seed phrases longer than 30 characters, filtering for realistic input, and also transmits the victim’s external IP address to attacker-controlled servers for tracking and targeting purposes.

Evidence suggests a Russian-speaking threat actor is behind the FoxyWallet campaign, with Russian-language comments discovered in the malicious code and in metadata found on the command-and-control server. The campaign has been active since at least April, with new malicious extensions continuing to appear. Despite Koi Security reporting their findings, some fake extensions remained available on the Firefox Add-ons store as recently as yesterday.

Mozilla, the creators of Firefox, acknowledged the threat, stating they are “aware of attempts to exploit Firefox’s add-ons ecosystem using malicious crypto-stealing extensions.” The company affirmed that it has taken steps to identify and remove such add-ons quickly through “improved tooling and process.” Many of the extensions flagged in Koi Security’s report had already been removed by Mozilla’s team prior to the report’s publication, and the company is actively reviewing the remaining identified add-ons. Mozilla described the ongoing fight against crypto-stealing extensions as a “constant cat and mouse game,” with malware developers continually attempting to circumvent detection methods. Its Add-ons Operations Manager, Andreas Wagner, noted that hundreds of scam crypto wallets have been uncovered in recent years.

To protect against FoxyWallet and similar scams, users are strongly advised to only download and install extensions from verified publishers. It is also recommended to treat extensions as full software assets, implement an extension allow list to restrict installations to only pre-approved and validated extensions, and maintain continuous monitoring rather than relying solely on one-time scans.