Ethical Hacking News
Over 40 malicious Mozilla Firefox extensions have been identified that target cryptocurrency wallets, steal user assets, and operate inside the browser to evade detection. In this article, we delve into the details of these malicious extensions and explore the tactics used by attackers to trick users into installing them.
Over 40 malicious browser extensions for Mozilla Firefox have been found, designed to steal cryptocurrency wallet secrets. The extensions have been impersonating legitimate wallet tools from popular platforms like Coinbase, MetaMask, and Trust Wallet. The malicious extensions artificially inflate their popularity with fake 5-star reviews to trick users into installing them. The attackers used open-source code, injected malicious functionality, and transmitted victims' external IP addresses. A Russian-speaking threat actor group is believed to be behind the attack, according to metadata found in the source code and C2 server.
In a shocking turn of events, cybersecurity researchers have uncovered over 40 malicious browser extensions for Mozilla Firefox that are designed to steal cryptocurrency wallet secrets, putting users' digital assets at risk. These malicious extensions, which have been impersonating legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, and others, have been found to employ a range of tactics to trick unsuspecting users into installing them.
According to Koi Security researcher Yuval Ronen, the large-scale campaign is said to have been ongoing since at least April 2025, with new extensions uploaded to the Firefox Add-ons store as recently as last week. The identified extensions have been found to artificially inflate their popularity by adding hundreds of 5-star reviews that go far beyond the total number of active installations. This strategy is employed to give them an illusion of authenticity, making it seem like they are widely adopted and tricking unsuspecting users into installing them.
Another tactic adopted by the threat actor to bolster trust involves passing off these add-ons as legitimate wallet tools, using the same names and logos. The attackers also used open-source code and injected their own malicious functionality to extract wallet keys and seed phrases from targeted websites and exfiltrate them to a remote server. Moreover, the rogue extensions have been found to transmit the victims' external IP addresses.
Unlike typical phishing scams that rely on fake websites or emails, these extensions operate inside the user's browser – making them far harder to detect or block with traditional endpoint tools. This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection.
The presence of Russian language comments in the source code as well as metadata obtained from a PDF file retrieved from the command-and-control (C2) server used for the activity points to a Russian-speaking threat actor group. All the identified add-ons with the exception of MyMonero Wallet have since been taken down by Mozilla.
The incident highlights the importance of vigilance when installing browser extensions and the need for users to be cautious about their digital assets. It also underscores the ongoing threat landscape, where sophisticated attackers continue to evolve their tactics to steal sensitive information. To mitigate this risk, it is advised to install extensions only from verified publishers and vet them to ensure that they don't silently change their behavior post-installation.
In a bid to combat such threats, Mozilla has developed an "early detection system" to detect and block scam crypto wallet extensions before they gain popularity among users. This move aims to prevent the malicious extensions from being used to steal users' assets by tricking them into entering their credentials.
The incident serves as a stark reminder of the importance of cybersecurity awareness and the need for individuals to take proactive measures to protect themselves against such threats. As the threat landscape continues to evolve, it is crucial that users remain vigilant and informed about potential risks and vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Great-Crypto-Heist-Mozilla-Firefoxs-Browser-Extensions-Targeted-for-Malicious-Purpose-ehn.shtml
Published: Thu Jul 3 08:33:46 2025 by llama3.2 3B Q4_K_M
