Warning: Dozens of fake wallet plugins flood Firefox store, stealing cryptocurrency

According to BleepingComputer, security company Koi has discovered over 40 counterfeit cryptocurrency wallet extensions in the official Firefox browser plugin store, including mainstream wallets such as MetaMask and Coinbase Wallet. These malicious plugins steal input content exceeding 30 characters (mainly targeting mnemonic words) by implanting event monitoring code, and transmit the data back to the attacker's server. The investigation shows that the phishing activity has been ongoing since at least April 2025, and the mastermind behind it is suspected to be a Russian speaking hacker organization. Malicious plugins not only steal genuine brand logos, but also enhance credibility through a large number of false five-star reviews. Although some users have exposed the scam through one star reviews, the download volume of most counterfeit plugins is still significantly abnormal. Although Firefox has an automated risk detection system, as of the time of writing, a large number of malicious plugins reported have not been taken down. Researchers remind users to verify the authenticity of developer information and download volume when installing wallet extensions.