Mishcon de Reya page structure
Site header
Menu
Main content section
Abstract crypto data

Firefox cryptocurrency extension fraud campaign

Posted on 9 July 2025

What happened? 

On 2 July 2025, security researchers discovered over 40 malicious browser extensions flooding Mozilla's Firefox Add-ons store, which were designed to steal cryptocurrency from unsuspecting users. The campaign, dubbed "FoxyWallet" by researchers, involved fake wallet extensions masquerading as legitimate cryptocurrency management tools, targeting popular brands including MetaMask, Coinbase Wallet, and Trust Wallet.

The malicious add-ons employed sophisticated social engineering techniques, featuring convincing branding, professional descriptions, and hundreds of fabricated five-star reviews, to appear legitimate. The attackers cloned open-source wallet codebases and inserted malicious logic while maintaining expected functionality. Once installed, these extensions harvested users' private keys, seed phrases, and login credentials, and exfiltrated sensitive data to remote servers.5 

Analysis revealed the campaign had been active since at least April 2025, with new malicious uploads occurring as recently as the week of discovery. The extensions employed review inflation tactics and identical branding to legitimate wallets, making them virtually indistinguishable from authentic tools to casual users. Mozilla has since removed the identified malicious extensions from their official store. The attack specifically targeted Firefox users, taking advantage of the browser's smaller market share where security scrutiny may be less intensive than Chrome's Web Store. 

So what? 

Browser extension stores represent attractive targets for cybercriminals as they provide direct access to users' browsing sessions and stored data. The scale of over 40 coordinated extensions demonstrates the industrialisation of cryptocurrency theft operations, with organised criminal groups investing substantial resources in browser-based financial crime. 

The campaign's three-month operational period exposes significant gaps in extension store security validation processes. The ability to clone legitimate codebases while inserting malicious functionality highlights the sophistication of modern supply chain attacks targeting browser ecosystems. 

Organisations should implement strict policies governing browser extension installations, requiring approval processes for any add-ons handling financial data. IT teams should regularly audit installed extensions across corporate devices, maintain updated inventories of approved tools, and implement extension allow-listing to prevent unauthorised installations. 

Users and businesses should verify extension authenticity through multiple channels before installation, including checking developer credentials, examining review patterns for artificial inflation, and confirming official endorsements from the claimed wallet providers. Security awareness training should emphasise that official app stores do not guarantee extension safety. 

For cryptocurrency users, hardware wallets provide superior security compared to browser-based solutions, as they isolate private keys from potentially compromised browser environments. Organisations should consider implementing browser isolation technologies and continuous monitoring systems that can detect unusual extension behaviour patterns. 

This incident underscores the need for enhanced extension store security measures, including improved validation processes, behavioural analysis, and rapid response capabilities to protect against evolving threats in the cryptocurrency ecosystem. 

Indicators of compromise: 

Malicious Extension Name Impersonated Platform
bitget-by-addon Bitget
bitget-by-addons Bitget
bitget-extension Bitget
btc-wallet Bitcoin
coinbaseswallet Coinbase
developer-trust Trust Wallet
eth-for-edition Ethereum Wallet
eth-wallet Ethereum Wallet
ethereum-wallet Ethereum Wallet
ethereum-wallet-crypto Ethereum Wallet
fil-project FilFox
filfox FilFox
filfox-wallet FilFox
is-a-block-explorer Keplr Wallet
keplr-wallet Keplr Wallet
leap-wallet Leap
metamask-addons MetaMask
metamask-crypto-official MetaMask
metamask-for-firefox MetaMask
metamask-for-wallet MetaMask
metamask-the-extension MetaMask
metamaskext MetaMask
metamasklet MetaMask
mew-wallet-ethereum-defi-web3 MyMonero
mymonero-wallet MyMonero
official-metamask MetaMask
official-metamask-wallet MetaMask
okx-add OKX
okx-addons OKX
okx-wallet-extension OKX
okx-wallet-extension1 OKX
phantom-ext-off Phantom
phantom-wallet-extension Phantom
trust-app Trust Wallet
trust-application Trust Wallet
trust-bestwallet Trust Wallet
trust-crypto Trust Wallet
trust-developer Trust Wallet
trust-extension-wallet Trust Wallet
trust-for-mozilla Trust Wallet
trust-wallet-mozilla-add Trust Wallet
wallet-for-bitcoin Bitcoin
wallet-for-trust-crypto-wallet Trust Wallet
wallet-for-trust Trust Wallet
wallet-metamask-crypto-wallet MetaMask
How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

I'm a client

I'm looking for advice

Something else