Over 40 Malicious Crypto Wallet Extensions Found on Firefox Add-Ons Store

In a disturbing cybersecurity development, researchers at Koi Security have uncovered more than 40 malicious Firefox browser extensions impersonating popular cryptocurrency wallets. These extensions, found on Mozilla’s official add-ons store, are designed to steal sensitive wallet credentials and recovery phrases from unsuspecting users.

The deceptive add-ons pose as legitimate wallets from major crypto service providers including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero. 

By cloning the open-source versions of these tools and embedding malicious code, the attackers aim to harvest users’ seed phrases—sensitive keys that grant full access to cryptocurrency funds.

According to Koi Security’s report shared with BleepingComputer, the malicious extensions include event listeners that monitor users’ activity in the browser. These scripts specifically look for text inputs longer than 30 characters—a common trait of seed phrases—and quietly send the captured data to attacker-controlled servers. Error messages that could potentially alert users are cleverly hidden using CSS tricks that make the alerts invisible. 

The theft of a seed phrase enables full access to a user’s crypto wallet and is often irreversible, with the fraudulent transaction appearing legitimate on the blockchain.

The campaign has reportedly been active since at least April, and new extensions continue to surface on the Firefox store, with the latest additions detected just last week. Many of the fraudulent extensions use authentic logos of

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.