A rising threat has surfaced in the world of cryptocurrency: fake wallet extensions on Firefox. Over 40 malicious add-ons have been found in the Firefox Add-ons store. These extensions pretend to be popular crypto wallets like MetaMask, Coinbase, Phantom, Trust Wallet, Exodus, and OKX. They use the same names, logos, and descriptions as the real apps to trick users. The fake extensions first appeared in April 2025 and are still active in July 2025. As the threat continues to grow, new fake extensions are uploaded even after initial detection.
Fake wallet extensions on Firefox pose a growing threat, with over 40 malicious add-ons impersonating popular crypto wallets.
The hackers behind the fake wallets use clever tricks to stay hidden. They copy open-source code from legitimate wallet tools but insert malicious code. This bad code is designed to steal wallet credentials and seed phrases, which are secrets used to access crypto accounts. The fake extensions also use fake five-star reviews to look trustworthy and gain quick approval. They are built to secretly collect sensitive data when users visit certain websites and send that information to servers controlled by hackers. Cybercriminals have become increasingly sophisticated in their methods, making detection more difficult for security teams.
These malicious extensions are very sneaky. They quietly gather login details and seed phrases without the user knowing. Once they have this information, the hackers can drain the victims’ crypto assets across multiple blockchain networks. The campaign is highly sophisticated and hard to detect. The threat actors use remote servers to gather stolen data and keep the campaign running. They are also good at avoiding detection through social engineering and technical spoofing, making it difficult for users and automated systems to catch them.
Mozilla, the company behind Firefox, has responded to the problem. They have removed many of the fake extensions after discovering them. Mozilla‘s Add-ons team says it’s a constant fight against malware creators. They now use new tools to find and remove fake extensions faster. Despite these efforts, the threat remains active, and some malicious add-ons still slip through. The campaign’s persistence shows that the hackers are well-funded and organized. They adapt quickly to avoid being caught and keep their fake extensions online.
This situation puts users at risk of losing their crypto assets if they install these fake extensions. Sensitive wallet information can be stolen without users realizing it. The threat is ongoing, and the fake extensions continue to evolve, making it vital for users to be cautious when installing browser add-ons.
