According to a report by Koi Security, over 40 malicious extensions for the Mozilla Firefox browser are linked to an active cryptocurrency theft campaign. These extensions masquerade as cryptocurrency management tools.
Widespread Phishing Campaign
The campaign, active since April this year, uses extensions impersonating popular wallets such as Coinbase, MetaMask, and others. Once installed, these extensions are designed to steal users' credentials. "So far, we were able to link over 40 different extensions to this campaign, which is still ongoing and very much alive," the company stated.
Deception through Design
The campaign leverages fake reviews and ratings to gain user trust. One application had hundreds of fake five-star reviews. The fake extensions also featured identical names and logos to the real services, and in some instances, cloned the official extensions' open-source code while adding malicious code. "This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection."
Suspected Link to Russian-speaking Hackers
Koi Security indicates that attribution remains tentative; however, multiple signs point to a Russian-speaking threat actor. Such signs include Russian-language comments in the code and metadata found in a PDF file from a malware command-and-control server involved in the incident. "While not conclusive, these artifacts suggest that the campaign may originate from a Russian-speaking threat actor group."
Experts urge users to install browser extensions only from verified publishers and to monitor extension behavior closely to mitigate cryptocurrency theft risks.
