Chrome and Firefox Users Under Attack: 45 Fake Extensions Target Crypto Wallets

On July 1, cybersecurity experts uncovered 45 malicious Firefox extensions impersonating trusted crypto wallets like MetaMask, Trust Wallet, Phantom, OKX, and Coinbase. These extensions steal wallet credentials and transmit user data to attacker-controlled servers.

According to Koi Security researcher Yuval Ronen, attackers cloned open-source wallet extensions, embedded malicious logic, and disguised them with familiar branding to win trust. The malware campaign has been active since April 2025 and is still evolving.

The extensions also transmit users’ IP addresses during activation, enabling tracking. This comes amid a spike in crypto hacks: in May, Coinbase reported a breach affecting over 70,000 users.

Koi Security’s recommendations:

• Install browser extensions only from verified publishers

• Treat extensions as full software packages

• Restrict installations to approved add-ons in organizational settings

• Continuously monitor for ownership changes or updates indicating compromise

As crypto adoption grows, so do threats—making secure browsing habits more important than ever.