Security firm Koi discovered over 40 fake wallet extensions have popped up on Firefox browser plug-in stores. They lure victims by masquerading as major wallet firms.
According to recent blogpost from the security company Koi, hackers have been operating a large-scale campaign involving dozens of fake crypto wallet extensions sold through the plug-in stores.
These fake wallets are designed to impersonate and even mirror mainstream digital wallet platforms, including Coinbase, MetaMask, OKX, Bitget, Ethereum (ETH) Wallet and many others. Once the extension is installed, the malicious software will be able to gain access to user wallets by stealing their login wallet information.
“So far, we were able to link to over 40 different extensions to this campaign, which is still ongoing and very much alive,” wrote the security firm in its notice.
The firm found that some of the fake extensions are still available for download on the browser marketplace. Koi estimated that the campaign itself is still “active, persistent and evolving,” with the last known activity occurring as recent as last week.
How do fake wallets steal user credentials?
The fake wallet extensions extract user credentials directly through the websites they target and transmit them to a remote server controlled by the hackers. They can also use this mode of infiltration to uncover a user’s external IP address, most likely to track or target their other devices.
When displayed on the browser plug-in marketplace, the fake wallet mirrors major wallet platforms almost to the very last detail; they use identical names and logos of the service they are impersonating so that they are able to gain the user’s trust.
To make the fake wallet seem believable to the average viewer, the hackers use a tactic that is called review inflation. many of the malicious extensions had hundreds of fake 5-star reviews, far exceeding their actual user base.
This tactic makes the fake wallet extension appear widely adopted and positively reviewed, as if it were the real thing.
In some cases, Koi found that malicious actors took advantage of the fact that the original extensions are open source. Therefore, they are able to clone codebases and slip in their own malicious code into it.
“This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection,” wrote Koi.
However, users can look for signs that indicate the extension they intend to download is actually a fraud. These include the appearance of comments in the extension code written in Russian, and suspicious metadata found in the PDF file retrieved from a command server in the operation.
Users can stay safe from fake wallet attacks by only installing extensions from verified publishers and using an extension allow-list to restrict installation to pre-approved, validated plugins only.
Lately, hackers are getting more creative with ways to infiltrate crypto user wallets, ranging from fake job search sites to printer extensions. In fact, according to a NASAA survey, cryptocurrency and social media scams are considered a top threat to retail investors in 2025.
