Crypto Theft Campaign Hits Firefox Users with Wallet Clones
More than 40 fake extensions for Mozilla Firefox are linked to a malware campaign aimed at stealing cryptocurrencies. The phishing operation uses extensions that impersonate popular wallet tools like Coinbase and MetaMask. Once installed, these malicious extensions steal users' wallet credentials and upload them to a remote server controlled by attackers. The campaign has been active since at least April, with new extensions uploaded recently. The fake extensions mimic legitimate services through identical names, logos, and fake reviews to gain user trust. Koi Security suspects a Russian-speaking threat actor based on language artifacts found in the malware's code. Users are advised to install extensions only from verified publishers and monitor for unusual behavior.
