A dangerous crypto theft campaign has been uncovered targeting Mozilla Firefox users through fake wallet extensions designed to steal digital assets. Cybersecurity firm Koi Security revealed that more than 40 malicious browser extensions are actively impersonating popular crypto wallets like MetaMask, Coinbase, Trust Wallet, Phantom, Exodus, and others.

These extensions are not only live but continue to be uploaded regularly, with the latest appearing just last week. Once installed, the fake add-ons secretly extract wallet credentials from legitimate websites and transmit them to a remote server under attacker control.

The scam is alarmingly sophisticated. The attackers clone real open-source wallet code, copy official branding, and flood extension pages with fake five-star reviews to appear authentic. Koi Security warns this low-effort, high-impact strategy allows the malware to blend in while delivering a seamless user experience—until funds are stolen.

Some indicators suggest the perpetrators may be Russian-speaking. Investigators found Russian-language code comments and metadata in a recovered file linked to the attackers’ command-and-control infrastructure. While not definitive, these clues point to a likely origin within a Russian-speaking threat group.

The campaign, active since at least April, remains ongoing and highly dangerous. Koi Security urges users to install extensions only from verified developers and treat browser add-ons with the same caution as full-fledged software. Experts also recommend maintaining strict allowlists and monitoring for suspicious behavior or unapproved updates.

With over 40 cloned wallet extensions identified and more likely surfacing, Firefox users are strongly advised to review their installed extensions immediately and remain vigilant against crypto phishing threats spreading through trusted browser platforms.