🚨 A Silent Heist: Fake Crypto Wallets Flood Firefox Add-Ons Store

The crypto world just got hit with another stealthy threat—this time targeting unsuspecting Firefox users through malicious wallet extensions.

More than 40 fake Firefox extensions mimicking popular crypto wallets have been discovered since April 2025. These fraudulent add-ons, found directly on the Firefox Add-ons store, aren’t just phishing scams, they’re sophisticated clones capable of stealing private keys and draining entire wallets.

🔍 The Deception: Looks Real, Acts Evil

The attackers didn’t build these fake extensions from scratch. Instead, they forked open-source code from legitimate wallets, like MetaMask, Phantom, Trust Wallet, OKX, Bitget, and Coinbase Wallet, and injected malicious scripts designed to silently steal user data.

To make things worse, the extensions:

• Used identical names and logos

• Were stuffed with fake 5-star reviews

• In some cases, were signed with valid Mozilla developer accounts

These wallet clones were nearly indistinguishable from the real thing. And once installed, they watched for one thing: your seed phrase.

🧠 How the Attack Works

Once a victim pastes a seed phrase or private key into the fake extension interface, it’s game over.

These fake extensions:

• Monitor inputs over 30 characters (typical of seed phrases)

• Immediately exfiltrate them to attacker-controlled servers

• Also log the user’s IP address, likely for geographic targeting

🇷🇺 Who’s Behind It?

Investigators found Russian-language comments in the code and metadata tied to Russian-speaking actors, although attribution is not conclusive.

The infrastructure behind the scam was impressively organized:

• Hosting on bulletproof VPS providers

• Constantly rotating domain names

• Multiple versions pushed across dozens of wallets and language localizations

This wasn’t a quick smash-and-grab. It was an industrial-scale operation.

🧯 Mozilla’s Response

Mozilla has begun purging these fake extensions, but new ones keep popping up. As of July 2025, many remain live on the Add-ons store, making this a whack-a-mole nightmare for security teams.

Mozilla stated that it is:

• Using automated scanning tools

• Relying on user reports

• Tightening vetting procedures for crypto-related extensions

But clearly, more must be done.

🛡️ What You Can Do Now

If you use Firefox for crypto-related activity, pause and reassess your security posture. Here's what I recommend:

🔐 Action Why It Matters

Avoid browser wallet extensions Especially on Firefox, until the dust settles. Use mobile apps or official websites.

Install only from verified sources Check the publisher name and history. Don't trust reviews alone.

Enable 2FA everywhere Adds a critical second layer to access.

Use cold storage for large holdings If it’s not online, it can’t be drained.

Report suspicious extensions Help Mozilla remove threats faster.

🧰 Free Tool to Check for Scam Wallets

At scamhunter.ai, we’re fighting crypto scams head-on. Uppsala Security offers a free tool to:

• Scan suspicious wallet addresses

• View scam reports

• Flag stolen assets

You can try it free twice a day. Just paste in a wallet address and we’ll show you what we know.

🚨 Final Thoughts

This latest wave of wallet-cloning extensions on Firefox is a wake-up call for the crypto industry. Browser-based wallets are convenient, but they also open up new attack surfaces.

As always in crypto, convenience must be balanced with paranoia. Double-check everything. Trust no extension blindly. And if you’ve ever typed a seed phrase into an extension, you should migrate your funds now.

The attackers are evolving. So must our defenses.

Stay safe, stay skeptical.