Cybersecurity experts from Koi Security uncovered a widespread scam involving over 40 fraudulent Firefox extensions designed to steal cryptocurrency wallet credentials, including seed phrases. These extensions impersonate well-known wallets, tricking users into unknowingly handing over access to their digital assets. Losses connected to this scam have already surpassed $2.2 billion in the first half of 2025 alone.
Please Register !
Which Wallets Are Being Imitated?
Please Register !
-
Coinbase
-
MetaMask
-
Trust Wallet
-
Phantom
-
Exodus
-
OKX
-
Keplr
-
MyMonero
-
Bitget
-
Leap
-
Ethereum Wallet
-
Filfox
Attackers have replicated these trusted brands with near-perfect logos and names to dupe unsuspecting users.
Please Register !
Timeline and Scam Techniques
Please Register !
The campaign has been active since April 2025, with new fake extensions continuously uploaded — some as recent as last week — to the official Firefox Add-ons platform.
These malicious plugins silently extract wallet credentials from targeted sites and transmit them to attacker-controlled servers.
Please Register !
Please Register !
Tricks to Gain User Trust
Please Register !
-
Hundreds of fake 5-star reviews boosted their apparent popularity.
-
Branding and logos meticulously cloned real wallet extensions.
-
The use of authentic open-source wallet code, with malicious backdoors added, maintained normal functionality while stealing data stealthily.
This clever tactic reduced detection chances and lengthened the time malicious extensions stayed active on users' systems.
Please Register !
Beyond Browser Add-ons: Hardware & Physical Scams
Please Register !
-
A Chinese crypto investor lost $7 million after buying a counterfeit cold wallet on Douyin (China’s TikTok), which generated private keys already compromised by attackers.
-
The Atomic macOS Stealer malware replaced legitimate Ledger Live apps on over 2,800 compromised sites, harvesting seed phrases via fake pop-ups.
-
Physical phishing letters mimicking Ledger, sent via USPS, instruct victims to scan QR codes linking to phishing websites stealing private keys.
Please Register !
The Growing Toll on Crypto Security
Please Register !
-
$2.2 billion lost to hacks and scams in early 2025, per CertiK’s report.
-
Wallet attacks accounted for $1.7 billion across 34 incidents.
-
Phishing scams led to $410 million stolen in 132 events.
Ethereum was the prime target with 175 incidents and losses exceeding $1.6 billion.
Please Register !
Rising Code Vulnerabilities and Physical Threats
Please Register !
-
May 2025 alone saw $229 million lost due to software vulnerabilities, a huge leap from $5 million in April.
-
Physical “wrench attacks” targeting crypto holders surged, with 32 reported incidents so far, set to break the 2021 record of 36.
Please Register !
Final Recommendations
Please Register !
Stay vigilant:
-
Only install extensions from verified sources.
-
Regularly update wallets and security software.
-
Be skeptical of unsolicited communications or offers.
Protect your crypto with caution — the threats keep evolving.
