What happened?
On 2 July 2025, security researchers discovered over 40 malicious browser extensions flooding Mozilla's Firefox Add-ons store, which were designed to steal cryptocurrency from unsuspecting users. The campaign, dubbed "FoxyWallet" by researchers, involved fake wallet extensions masquerading as legitimate cryptocurrency management tools, targeting popular brands including MetaMask, Coinbase Wallet, and Trust Wallet.4
The malicious add-ons employed sophisticated social engineering techniques, featuring convincing branding, professional descriptions, and hundreds of fabricated five-star reviews, to appear legitimate. The attackers cloned open-source wallet codebases and inserted malicious logic while maintaining expected functionality. Once installed, these extensions harvested users' private keys, seed phrases, and login credentials, and exfiltrated sensitive data to remote servers.5
Analysis revealed the campaign had been active since at least April 2025, with new malicious uploads occurring as recently as the week of discovery. The extensions employed review inflation tactics and identical branding to legitimate wallets, making them virtually indistinguishable from authentic tools to casual users. Mozilla has since removed the identified malicious extensions from their official store. The attack specifically targeted Firefox users, taking advantage of the browser's smaller market share where security scrutiny may be less intensive than Chrome's Web Store.
So what?
Browser extension stores represent attractive targets for cybercriminals as they provide direct access to users' browsing sessions and stored data. The scale of over 40 coordinated extensions demonstrates the industrialisation of cryptocurrency theft operations, with organised criminal groups investing substantial resources in browser-based financial crime.
The campaign's three-month operational period exposes significant gaps in extension store security validation processes. The ability to clone legitimate codebases while inserting malicious functionality highlights the sophistication of modern supply chain attacks targeting browser ecosystems.
Organisations should implement strict policies governing browser extension installations, requiring approval processes for any add-ons handling financial data. IT teams should regularly audit installed extensions across corporate devices, maintain updated inventories of approved tools, and implement extension allow-listing to prevent unauthorised installations.
Users and businesses should verify extension authenticity through multiple channels before installation, including checking developer credentials, examining review patterns for artificial inflation, and confirming official endorsements from the claimed wallet providers. Security awareness training should emphasise that official app stores do not guarantee extension safety.
For cryptocurrency users, hardware wallets provide superior security compared to browser-based solutions, as they isolate private keys from potentially compromised browser environments. Organisations should consider implementing browser isolation technologies and continuous monitoring systems that can detect unusual extension behaviour patterns.
This incident underscores the need for enhanced extension store security measures, including improved validation processes, behavioural analysis, and rapid response capabilities to protect against evolving threats in the cryptocurrency ecosystem.
Indicators of compromise:
| Malicious Extension Name |
Impersonated Platform |
| bitget-by-addon |
Bitget |
| bitget-by-addons |
Bitget |
| bitget-extension |
Bitget |
| btc-wallet |
Bitcoin |
| coinbaseswallet |
Coinbase |
| developer-trust |
Trust Wallet |
| eth-for-edition |
Ethereum Wallet |
| eth-wallet |
Ethereum Wallet |
| ethereum-wallet |
Ethereum Wallet |
| ethereum-wallet-crypto |
Ethereum Wallet |
| fil-project |
FilFox |
| filfox |
FilFox |
| filfox-wallet |
FilFox |
| is-a-block-explorer |
Keplr Wallet |
| keplr-wallet |
Keplr Wallet |
| leap-wallet |
Leap |
| metamask-addons |
MetaMask |
| metamask-crypto-official |
MetaMask |
| metamask-for-firefox |
MetaMask |
| metamask-for-wallet |
MetaMask |
| metamask-the-extension |
MetaMask |
| metamaskext |
MetaMask |
| metamasklet |
MetaMask |
| mew-wallet-ethereum-defi-web3 |
MyMonero |
| mymonero-wallet |
MyMonero |
| official-metamask |
MetaMask |
| official-metamask-wallet |
MetaMask |
| okx-add |
OKX |
| okx-addons |
OKX |
| okx-wallet-extension |
OKX |
| okx-wallet-extension1 |
OKX |
| phantom-ext-off |
Phantom |
| phantom-wallet-extension |
Phantom |
| trust-app |
Trust Wallet |
| trust-application |
Trust Wallet |
| trust-bestwallet |
Trust Wallet |
| trust-crypto |
Trust Wallet |
| trust-developer |
Trust Wallet |
| trust-extension-wallet |
Trust Wallet |
| trust-for-mozilla |
Trust Wallet |
| trust-wallet-mozilla-add |
Trust Wallet |
| wallet-for-bitcoin |
Bitcoin |
| wallet-for-trust-crypto-wallet |
Trust Wallet |
| wallet-for-trust |
Trust Wallet |
| wallet-metamask-crypto-wallet |
MetaMask |