Security firm Koi has uncovered a widespread hacking campaign involving more than 40 fake cryptocurrency wallet extensions lurking on Firefox browser plug-in stores.
These malicious extensions are designed to impersonate major wallet providers such as Coinbase, MetaMask, OKX, Bitget, and Ethereum Wallet, aiming to trick unsuspecting users into giving up their login credentials.
In its recent blog post, Koi warned that the fraudulent extensions mirror genuine platforms almost perfectly, using identical names and logos to appear authentic. Once installed, the fake wallets harvest user credentials and transmit them to a remote server controlled by hackers, granting them direct access to victims’ wallets.
“So far, we were able to link over 40 different extensions to this campaign, which is still ongoing and very much alive,”
Koi stated. The firm revealed that some of these malicious plug-ins remain available for download, despite efforts to flag them.
The cybercriminals behind the scheme reportedly employ a strategy known as “review inflation,” where hundreds of fake 5-star reviews are generated to build false credibility and make the extensions appear widely adopted. In some cases, the attackers cloned open-source code from legitimate wallet extensions, then embedded malicious scripts to maintain a normal user experience while avoiding detection.
“This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection,”
the firm explained.
Koi also noted that parts of the malicious extension code contain comments written in Russian, and PDF files retrieved from the hackers’ command servers include suspicious metadata.
To stay safe, security experts advise users to install browser extensions only from verified publishers and to use an allow-list system that restricts installation to pre-approved and validated plug-ins.
This discovery comes as cyberattacks targeting crypto investors continue to evolve rapidly. Beyond fake wallet extensions, hackers are now deploying tactics such as fraudulent job websites and printer plug-ins to infiltrate user devices. A recent survey by the North American Securities Administrators Association (NASAA) listed cryptocurrency and social media scams as leading threats to retail investors in 2025.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
