40+ Dangerous Crypto Wallet Extensions on Firefox: Protect Your Funds

A recent study conducted by CyberGuard has uncovered a vast operation involving counterfeit Firefox extensions aimed at covertly extracting cryptocurrency credentials from users.

The investigation discovered over 40 fraudulent extensions imitating well-regarded crypto wallet applications, which facilitated unauthorized access to users’ sensitive financial information.

40+ Dangerous Crypto Wallet Extensions On Firefox: Protect Your Funds

These malicious add-ons were crafted to closely replicate trusted applications such as MetaMask, Coinbase, and Trust Wallet, presenting an alarming risk to unwary users.

Unmasking the Deceptive Firefox Extensions

This ongoing campaign was reportedly first identified in early 2025. Findings published last week by CyberGuard indicated that users were still encountering these extensions on the Firefox Add-ons marketplace.

Several of these extensions remained listed at the time of the report, highlighting serious concerns over the safety of private keys and crypto wallet data.

Once deployed, the extensions were stealthily gathering confidential credentials, providing attackers with openings to misappropriate user assets across various blockchain ecosystems.

Experts in cybersecurity label this operation as particularly dangerous due to its longevity and sophistication. The fact that fresh extensions are emerging indicates the initiative is both active and adaptive, cleverly circumventing detection mechanisms.

By impersonating reputable wallets and successfully infiltrating browser review processes, the perpetrators are using a combination of social engineering tactics and technical deception to target unsuspecting crypto users.

Exploiting Trust: Methods and Future Risks in Crypto Security

To enhance their credibility, many of the fake extensions boasted inflated five-star ratings and manipulated reviews. These deceptive indicators likely convinced users of their legitimacy, prompting unwitting downloads.

The design elements, branding, and naming of these extensions were carefully crafted to mirror those of established wallet providers, adding an additional layer of misdirection.

CyberGuard analysts uncovered evidence suggesting involvement from a Russian-speaking cyber group in this scheme. Analysis of the source code revealed Russian-language annotations, and documents tied to their command infrastructure contained Russian metadata.

While these findings are not definitively conclusive, they echo patterns seen in previous cyber campaigns traced to Eastern European groups. “While not definitive, these elements hint at a Russian-speaking hacker organization being involved,” the analysis stated.

The extensive nature and ongoing persistence of this scheme imply a systematic approach. CyberGuard stressed that this is not merely a singular exploit, but rather a developing strategy that could extend to other browsers and cryptocurrency platforms in the future.

The report urges users to refrain from installing extensions outside of those recommended by official wallet providers, carefully review developer credentials on add-on pages, and remain vigilant about the permissions sought by extensions. Users are also advised to delete any add-ons they did not install or no longer recognize.

Image credit: CyberGuard Insights, Chart data sourced from TradingView

Emily Walker
Emily Walker
Crypto News Editor

Emily brings structure, clarity, and journalistic integrity to Bitrabo’s daily news coverage. With years of experience in tech journalism, she ensures that every headline, update, and developing story is accurate and impactful. From breaking regulatory news to market movements, Emily’s editorial oversight keeps Bitrabo’s news content timely, trusted, and engaging.