Fake wallet extensions have been identified to infiltrate Firefox’s official add-ons store, according to a new security audit. Security company Koi disclosed that more than 40 fake crypto wallet extensions have appeared in the official Firefox browser plug-in store, aiming to steal mnemonics and private keys. These extensions impersonate popular wallets, including Coinbase, Trust Wallet, Phantom, OKX, MyNero, MetaMask, and others.
In an ongoing campaign, which has been active since April 2025, Koi exposes attackers and how they exploit user trust and the marketplace to steal assets. As cyber fraud and crypto hacks rise, users are warned about protecting their wallets. Otherwise, the nightmare of waking up and discovering your entire crypto holdings drained in seconds could become a reality.
Koi Exposes How Fake Firefox Extensions Work
The cyber criminals often start by cloning legitimate Web3 wallets to make them appear authentic, luring unsuspecting users to install them. Koi explains that once these extensions are installed, they exfiltrate wallet secrets, putting a user’s assets at risk. Because most official extensions are open-source, these attackers clone their real codebases and insert their malicious trackers.
These trackers are disguised to watch and obtain seed phrases. When a user enters the seed phrases, the listener captures the data. The stolen information, including the victim’s IP address, is then sent to the imposters’ controlled server. This high-impact approach allows the actor to go undetected immediately, giving them ample time to secretly steal user assets.
According to Koi, one of the ways these malicious actors gain trust and legitimacy is through fake 5-star reviews. They fabricate reviews far exceeding their actual user base to make the extension look widely adopted. They use the positive reviews to lure unsuspecting users to download and install their malicious Firefox extensions.
Koi Suggests Measures to Protect Assets
Victims have described losing thousands to tens of thousands worth of cryptocurrency within seconds. Worst of all, recovery is practically impossible once a seed phrase is compromised. The stolen funds are converted and then laundered through a mixer, making them difficult to track.
Koi suggests vetting every extension before installation. The publisher must be authenticated, reviews must be critically examined, and links from unauthorized sources must be avoided at all costs. The security research team also recommends using an extension Allowlist and only installing pre-approved and validated extensions.
Other suggestions include: never pasting your seed phrases into a browser window, storing assets in hardware devices, such as Ledger, and ensuring multiple backups of seed phrases in secure and distributed locations.
What’s Next for Firefox Extensions?
Browser platforms like Firefox must upgrade their vetting mechanisms using automated tools and human reviews to ensure users don’t fall for fake 5-star reviews. Furthermore, they should collaborate with security firms to expedite crackdowns on fake extensions. Koi confirms that new malicious extensions were uploaded to the Firefox Add-ons store as recently as last week.
The wave of fake wallet extensions shows that crypto wallets are vulnerable. All hands must be on deck to defend against these external threats.
