News Report Technology
July 03, 2025

FoxyWallet Campaign Exposes Over 40 Malicious Firefox Extensions Targeting Crypto Users

FoxyWallet Campaign Exposes Over 40 Malicious Firefox Extensions Targeting Crypto Users

Software supply chain security firm Koi Security has identified an ongoing large-scale malicious campaign involving numerous counterfeit Firefox browser extensions designed to capture cryptocurrency wallet credentials. These extensions mimic legitimate tools associated with well-known platforms, including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.

Once installed, the extensions covertly extract sensitive wallet information, posing a significant threat to user assets. The investigation has so far linked over 40 distinct extensions to the same campaign, which remains active. Some of these extensions are still available through official distribution channels. The identification of the campaign was made possible by analyzing common tactics, techniques, procedures (TTPs), and shared infrastructure.

Evidence indicates that the operation has been underway since at least April 2025, with new malicious uploads to the Firefox Add-ons store observed as recently as the previous week. The continuous appearance of these extensions points to a persistent and evolving threat. The malware targets users by harvesting wallet credentials directly from specified websites and transmitting them to a remote server operated by the attacker. Additionally, the extensions send the victim’s external IP address during the initial execution phase, likely for tracking or targeting purposes.

Malicious Firefox Extensions Mimic Trusted Wallet Tools And Inflate Reviews To Evade Detection And Boost Installs

This campaign exploits standard trust signals commonly found on browser extension marketplaces—such as user ratings, reviews, familiar branding, and functional performance—to build credibility and increase download rates. A notable strategy involved artificially boosting review scores; many of the malicious extensions featured an unusually high volume of five-star reviews, inconsistent with their actual user base. This creates the appearance of widespread approval and reliability, which can influence user decisions on platforms like the Mozilla Add-ons store.

The attacker also replicated the visual branding of legitimate wallet tools, including exact names and logos, making the counterfeit versions difficult to distinguish from the authentic ones. This approach raises the likelihood of unintentional downloads by users seeking the real service. In multiple instances, the actor utilized open-source versions of official extensions, duplicating the legitimate code and integrating malicious components. As a result, the extensions retained expected functionality while quietly exfiltrating sensitive data, enabling the campaign to achieve impact with relatively minimal development effort and reduced initial detection risk.

Although definitive attribution has not been established, several indicators suggest involvement by a Russian-speaking threat actor. These include Russian-language comments identified within the extension code and metadata extracted from a PDF document hosted on a command-and-control server associated with the campaign. While these elements are not conclusive, they collectively imply a possible origin linked to a Russian-speaking group.

Best practices in response to this activity include installing extensions exclusively from verified sources and remaining cautious even when extensions have high ratings. Browser extensions should be treated as full software components, requiring appropriate vetting, policy controls, and ongoing oversight. Organizations are advised to implement extension allowlists, limiting installations to pre-approved and validated tools, and to adopt continuous monitoring strategies, as extensions can auto-update and alter behavior after deployment without user awareness.

Disclaimer

In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.

About The Author

Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.

More articles
Alisa Davidson
Alisa Davidson

Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.

The Calm Before The Solana Storm: What Charts, Whales, And On-Chain Signals Are Saying Now

Solana has demonstrated strong performance, driven by increasing adoption, institutional interest, and key partnerships, while facing potential ...

Know More

Crypto In April 2025: Key Trends, Shifts, And What Comes Next

In April 2025, the crypto space focused on strengthening core infrastructure, with Ethereum preparing for the Pectra ...

Know More
Read More
Read more
Binance Research: Early Crypto Treasury Strategies Show Mixed Results, Stablecoins Surpass $250B And DEXs Gain Market Share In June
Opinion Markets Technology
Binance Research: Early Crypto Treasury Strategies Show Mixed Results, Stablecoins Surpass $250B And DEXs Gain Market Share In June
July 3, 2025
Chainwire Expands To 25 Regional PR Packages, Delivering Localized Crypto PR At Global Scale
News Report
Chainwire Expands To 25 Regional PR Packages, Delivering Localized Crypto PR At Global Scale
July 3, 2025
Gate Launches xStocks Trading Platform, Bridging Crypto And Global Capital Markets
News Report Technology
Gate Launches xStocks Trading Platform, Bridging Crypto And Global Capital Markets
July 3, 2025
Perplexity Introduces ‘Max’ Subscription Featuring Unlimited Labs Tools Availability And Early Access To New Products
News Report Technology
Perplexity Introduces ‘Max’ Subscription Featuring Unlimited Labs Tools Availability And Early Access To New Products
July 3, 2025