Firefox Add-ons Store Hit by Massive Wave of Fake Wallet Extensions

BY admin user

Researchers uncovered a coordinated campaign of over 40 malicious Firefox extensions. These add‑ons mimic trusted crypto wallet tools to steal private keys and seed phrases. Users are at risk. Extensions remain live in Mozilla’s official store. This threat started in April 2025 and continues today.

The FoxyWallet Campaign

I. What is FoxyWallet?

The campaign is named “FoxyWallet.” Attackers created dozens of fake extensions posing as popular wallets. Targets include MetaMask, Coinbase Wallet, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.

These clones use the real branding—names, logos, and even legit open‑source code—while hiding malicious logic. The result: extensions behave normally, but also steal sensitive data in the background.

II. How They Trick Users

  1. Name and logo impersonation
    Clone official wallet tools. Same names. Same icons. Users trust them by design.
  2. Fake ratings and reviews
    Many extensions show hundreds of 5‑star reviews—more than their actual installs. This creates false legitimacy.
  3. Cloned open‑source code
    Code is taken from official wallets. Attackers add data‑stealing logic. The clones work but also exfiltrate data.

Technical Details of the Attack

I. Data exfiltration and tracking

  • On install, the extension starts watching for credentials being entered on wallet sites.
  • It captures seed phrases, private keys, addresses.
  • It silently sends these to attacker‑controlled servers. External IP addresses are included too.

II. Ongoing campaign

  • Active since at least April 2025.
  • New extensions appeared as recently as last week.
  • Mozilla has removed most, but a few still linger on the store.

Who is Behind the Scheme?

So far, clues point to a Russian‑speaking actor:

  • Russian‑language comments in the code.
  • Metadata in a PDF on a control server.

This is not conclusive, but worth noting.

Scale of the Attack

  • Dark Reading reported around 45 extensions at one point.
  • Geekflare confirmed over 40 unique forks remain on the store.
  • The campaign uses Mozilla’s store trust features—name, reviews, branding, open‑source—against users.

Broader Context and Threat Trend

I. Browser extensions as attack vectors

Socket’s Threat Team recently uncovered that extensions in normal stores are widely used to:

  • Redirect users to scams.
  • Hijack browsing sessions.
  • Inject tracking code.
  • Steal OAuth tokens.

II. Similar campaigns

Earlier in 2025:

  • “Shell Shockers io” and clones by actor mre1903 infected Firefox and Chrome with gambling‑style popups, affiliate tracking, and OAuth token theft.
  • At least eight malicious Firefox extensions used identical tactics to hijack sessions, spy via hidden iframes, and steal tokens .

This shows attackers use multiple tactics and continue evolving.

III. WalletProbe findings

A recent study (April 2025) tested 39 popular wallet extensions. It found 13 attack vectors and 21 strategies. All wallets could be abused to steal assets.

The Risk to Individuals

  • Once seed phrases leak, attackers can drain wallets instantly.
  • Users may trust extensions from the official store.
  • Victims often won’t notice until assets are gone.
  • Hackers can track victims by IP and target high‑value wallets.

Risk to Organizations

  • Extensions may access internal tools if browsers are used at work.
  • A rogue extension can exfiltrate credentials, tokens, session info.
  • Attackers can use OAuth or session tokens to escalate deeper.
  • Uncontrolled extensions are a threat to enterprise security integrity.

Browser Provider and Security Response

I. Mozilla’s actions

  • Most foxeywallet extensions have been removed.
  • MyMonero Wallet clone remains under review.
  • Mozilla says it uses an “early detection system” to block scam crypto extensions.

II. Industry advice

From Koi Security and Dark Reading:

  • Treat extensions like any software—vet them before install.
  • Use allow‑lists at work, not block‑lists.
  • Monitor installed extensions and changes over time.

Mozilla support suggests:

  • Review permissions carefully.
  • Check developer identity.
  • Look at user reviews and installs count.

Practical Recommendations

  1. Limit extension installs
    Only add tools you need and from trusted sources.
  2. Verify publishers
    Check developer name, website, contact info.
  3. Inspect permissions
    Avoid extensions requiring broad access to all web pages.
  4. Check reviews manually
    Look for signs of fake or repetitive reviews.
  5. Monitor post-install behavior
    Watch for sudden popups, redirects, or hidden frames.
  6. Use hardware wallets
    Keep seed phrases offline and away from browser processes.
  7. Enterprise controls
    Implement allow‑lists, continuous monitoring, and access boundaries.
  8. Stay updated
    Remove unused or unwanted add‑ons regularly.

The post <strong>Firefox Add-ons Store Hit by Massive Wave of Fake Wallet Extensions</strong> appeared first on The Coins Post.

Related Posts

Crypto

Crypto Market Outlook: 3 Trends to Follow in 2025

2024 was indeed a banner year for the cryptocurrency market. Thanks to a multitude of positive trends, Bitcoin more than doubled in price. Many major and emerging altcoins experienced even higher leve

Crypto

Bitcoin Price Slides Below $70,000: These Are The Key Reasons

The Bitcoin (BTC) price has experienced a significant downturn over the past 24 hours, falling below the critical $70,000 threshold. After reaching a peak of $73,620 on Tuesday, the cryptocurrency has

Crypto

Avalon Labs Powers Bybit’s Bitcoin Yield Product With Fixed-Rate Lending Integration

Key Takeaways: Avalon Labs has partnered with Bybit to launch a new Bitcoin-based fixed-income product. The platform uses $FBTC as collateral, enabling Bitcoin to generate stable returns via DeFi stra

Copyright © 2025 | WordPress Theme: Xews Lite