Over 40 fake Firefox extensions impersonating popular crypto wallets have been identified in an ongoing malware campaign targeting users' wallet credentials. Cybersecurity firm Koi Security reported that these malicious extensions, which are disguised as legitimate services such as Coinbase, MetaMask, Trust Wallet, and others, have been active since at least April. They extract wallet credentials directly from targeted websites and send them to a server controlled by attackers. The campaign employs deceptive tactics, such as utilizing fake ratings and reviews to gain user trust and mimic real wallet services. Moreover, some of these extensions clone open-source code from legitimate applications, adding malicious elements to retain expected user experiences while minimizing detection risks. Koi Security has suggested potential links to a Russian-speaking threat actor based on evidence found during their investigation. They advise users to only install verified browser extensions and treat them as full software assets by monitoring behavior for unexpected changes.

Source šŸ”—