Cryptocurrency hasn’t just wrecked the GPU market and made small talk insufferable—it’s now taking aim at Firefox, too. A wave of malicious crypto wallet extensions has infiltrated the browser’s add-on repository, and even Mozilla’s automated security systems can’t keep up.
Security researchers at Koi Security uncovered a coordinated campaign that began back in April. Dozens of fake add-ons imitating popular crypto wallets like Coinbase, MetaMask, and Ethereum have been uploaded to the Firefox store. These aren’t harmless clones—they’re altered versions of open-source wallet code, modified with malicious scripts that steal sensitive user data and compromise access to real cryptocurrency holdings. According to the researchers, the operation appears to be run by Russian-speaking attackers.
The fakes use all the usual tricks to pass as legitimate: copied logos, cloned names, and fake five-star reviews. Despite Mozilla’s automated vetting processes, at least 40 malicious extensions made it through, though most have since been removed. Mozilla has responded with a standard public statement, but the issue clearly points to deeper flaws in add-on moderation and oversight.
Even though the crypto and NFT hype has cooled, hundreds of billions of dollars remain locked up in digital assets—and the risk of theft remains high. If you manage any kind of wallet or crypto service, avoid browser extensions unless downloaded directly from verified sources. Once stolen, anonymous crypto funds are almost impossible to trace or recover—especially when they cross international lines.
