Crypto Fraud Cases Occurring in Firefox Through Add-ons in the Form of Crypto Wallets
2025-07-03
Cybercriminals have launched a sophisticated fraud campaign targeting cryptocurrency users on the Firefox browser by uploading fake wallet extensions to the official Firefox Add-ons store.
These malicious add-ons, which impersonate trusted wallets like MetaMask, Trust Wallet, and Coinbase Wallet, are designed to steal sensitive data such as seed phrases, enabling attackers to gain full access to victims’ crypto assets.
As crypto adoption continues to grow, so do threats targeting unsuspecting users. This case highlights the critical need for vigilance and secure browsing practices in the Web3 era.
How the Scam Works
Researchers at cybersecurity firm Koi Security identified over 40 fraudulent extensions mimicking popular crypto wallets on Firefox.
These add-ons aren’t just lookalikes—they are cleverly modified versions of legitimate open-source wallets, enhanced with malicious code designed to siphon user data.
The malicious logic includes:
Event listeners that monitor input fields for data exceeding 30 characters, typical of seed phrases.
Code obfuscation and tricks like zero-opacity warnings to prevent alerts from being seen.
Fake branding and real wallet logos to appear legitimate.
Hundreds of fake five-star reviews to deceive potential victims into trusting the add-ons.
Once a user enters their seed phrase or wallet credentials, the information is silently transmitted to servers controlled by the threat actors—identified as a Russian-speaking cybercrime group.
Read Also: Best 3 Crypto Wallet for Beginner
What’s at Stake
Theft of a seed phrase is equivalent to handing over the master key to an entire wallet. Unlike traditional banking, crypto transactions are irreversible, and once funds are stolen, recovery is virtually impossible.
Some of the fake extensions detected include impersonations of:
MetaMask
Trust Wallet
Coinbase Wallet
Exodus
OKX
Keplr
MyMonero
These fake wallets have been circulating since at least April, with new ones being added as recently as last week. Despite multiple reports, several remain active in Firefox’s extension marketplace.
Mozilla's Response
Mozilla has introduced an early detection system for crypto scam extensions. It uses automated indicators to flag high-risk submissions. However, the system isn't foolproof—many malicious add-ons still bypass it and reach unsuspecting users.
Koi Security has submitted detailed reports through Firefox’s official channels, but as of this writing, the malicious extensions continue to exist on the platform. Mozilla has yet to release an official statement addressing the issue.
Read Also: Telegram Crypto Scams Surge After Huione Shutdown: What You Need to Know
Protecting Yourself from Add-on Based Crypto Scams
To avoid falling victim to crypto wallet scams in browsers, users should:
Only install extensions directly from official wallet websites.
Check installation numbers and user reviews—beware of suspiciously high review counts with low installations.
Avoid entering seed phrases or private keys in any browser-based interface unless absolutely verified as secure.
Use hardware wallets for additional security and seed phrase storage.
Keep your browser and extensions updated to benefit from security patches.
Conclusion
The emergence of fake crypto wallet add-ons in Firefox is a stark reminder of the evolving nature of crypto fraud.
As attackers exploit even trusted platforms like Mozilla’s, crypto users must stay informed, cautious, and skeptical of anything that seems too convenient.
Until better safeguards are enforced, the responsibility to protect digital assets lies heavily on individual users.
Read Also: Web3 Wallet vs Centralized Exchange: Key Differences, Benefits & Why Bitrue Leads the Hybrid Future
FAQs
What crypto wallets are being impersonated in the Firefox store?
Wallets like MetaMask, Trust Wallet, Coinbase, Phantom, and OKX are among those being faked.
How are the fake extensions stealing crypto?
They monitor for seed phrases and credentials, then send this data to attacker-controlled servers.
Can I recover my funds if my seed phrase is stolen?
No, once a seed phrase is compromised, the funds can be irreversibly drained.
Has Mozilla taken down these fake add-ons?
Some have been reported, but as of now, several still remain active.
How can I avoid getting scammed?
Always install extensions from official sources and never enter your seed phrase into an unfamiliar extension.
Disclaimer: The content of this article does not constitute financial or investment advice.
