- More than 40 fake Firefox extensions are impersonating popular cryptocurrency wallets to steal user data.
- The campaign uses fake visual identities and reviews to make the apps appear legitimate.
- The attack is still ongoing and can be provisionally linked to a Russian-speaking group, analysts say.
- Key recommendations: Install only verified extensions and monitor for any abnormal behavior.
In recent weeks, a cyberattack campaign has come to light that directly affects Cryptocurrency users who rely on the Firefox browserThe attack is characterized by the deployment of malicious extensions that, disguised as trusted digital wallets, seek to capture Internet users' login credentials and drain their funds without their knowledge.
Firms specializing in cybersecurity such as Koi Security have sounded the alarm following detect more than 40 fraudulent extensions distributed in the official Firefox store. All of them mimicked the appearance and name of well-known cryptocurrency applications, such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX and MyMonero, among others, thus managing to deceive unsuspecting users through identical logos and artificially generated five-star reviews.
How malicious extensions work in Firefox
The modus operandi of this campaign is especially dangerous due to its ability to emulate legitimate user experienceCybercriminals have exploited the open source code of legitimate wallets, cloning their structure and adding code snippets designed to harvest sensitive information such as seed phrases and private keys.
Once the extension is installed, it is virtually impossible for the user to distinguish a genuine version from a modified one. The stolen information is sent directly to remote servers under the control of attackers, who can then proceed to empty the wallets quickly.
The campaign, active since April and still ongoing according to researchers, not only uses visual identities and names copied from the originals, but artificially inflates positive reviews to generate trust and thus increase their number of victims.
Indications point to a Russian-speaking group
The tracking work carried out by Koi Security has detected various Russian elements embedded in the files of the extensions and internal documents found on the servers used for the data theft. While the attribution is not definitive, Multiple clues suggest the attack came from a Russian-linked threat group or actor..
Analyzing metadata in recovered files, along with Russian comments in the code of the fraudulent applications, Experts maintain that the operation could be coordinated beyond simple amateur scammers., which increases the sophistication and danger of the incident.
Risks to users: Why these extensions have worked
The great success of the campaign lies in the use of trust manipulation strategies: They not only replicate names and logos, but also leverage the Firefox Store's review and rating options to legitimize their counterfeit products. Since most of the affected wallets are open source, attackers have had easy access to clone visible functions and add malicious code without raising immediate suspicion.
This approach has allowed many Internet users, confident in appearance and ratings, Install these plugins without hesitation, which has facilitated the mass exfiltration of sensitive data.
Recommendations to minimize the impact of malicious extensions
Given the magnitude and persistence of the attack, specialists advise taking extreme precautions when installing extensions, opting only for those published by verified developers and periodically reviewing the applications installed in the browser.
Some essential tips are:
- Always verify the identity and reputation of the developer before installing any extension.
- Be suspicious of overly positive or repetitive ratings that may have been manipulated.
- Be alert for unusual permit requests or unexpected changes in the behavior of the extension.
- Immediately remove any suspicious extensions or that has not been installed by the user himself.
From Koi Security is also recommended to treat extensions with the same caution as any other program, using whitelists and closely monitoring any unusual behavior, as well as installing updates only from official sources.
This incident highlights the importance of applying good cybersecurity practices in the cryptocurrency environment and in the management of digital tools. Vigilance, active protection and constant updating are essential to avoid being a victim of these attacks..
I am a technology enthusiast who has turned his "geek" interests into a profession. I have spent more than 10 years of my life using cutting-edge technology and tinkering with all kinds of programs out of pure curiosity. Now I have specialized in computer technology and video games. This is because for more than 5 years I have been writing for various websites on technology and video games, creating articles that seek to give you the information you need in a language that is understandable to everyone.
If you have any questions, my knowledge ranges from everything related to the Windows operating system as well as Android for mobile phones. And my commitment is to you, I am always willing to spend a few minutes and help you resolve any questions you may have in this internet world.