Act now: Attackers using fake Firefox add-ons to steal crypto wallet credentials

Scammers have started a malicious campaign that uses Firefox browser extensions to steal crypto wallet credentials.

The campaign detected and reported by Koi Security researchers on 2 July is said to involve over 40 Firefox extensions that impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, and OKX.

How it works 

Koi Security says the campaign has been on since at least April and is still actively ongoing because new malicious extensions were uploaded to the Firefox Add-ons store as recently as last week.

When unsuspecting users install the malicious extensions, they silently exfiltrate wallet secrets such as recovery seed phrase, passwords, etc., putting users’ assets at immediate risk. 

After extracting wallet credentials directly from the targeted websites, the extensions exfiltrate them to a remote server controlled by the attacker. 

The victim’s external IP address is also transmitted during initialization, likely for tracking or targeting purposes. 

To earn trust, the attackers inflate positive reviews on the extensions, giving them hundreds of five-star ratings. This makes users more confident in installing them.

They also use strikingly similar branding to top wallet providers, making it difficult to identify them. They even clone the code bases of the original wallet apps to make the fake as seemingly authentic as possible.

Although not yet certain, Koi Security suspects the attackers may be of Russian origin, as the extension codes contain Russian language comments.

What to do

To prevent falling victim to these attackers, you should uninstall any Firefox wallet add-ons you may have installed recently.

Going forward, ensure you install extensions only from verified publishers, and be cautious even with high-rated listings, especially ones that look too good to be true.

Also treat browser extensions as full software assets, subject to vetting, monitoring, and policy enforcement. 

As extra precaution, use an extension allowlist and restrict installation to pre-approved, validated extensions only and continue to monitor for any change of behavior.