MozillaIn the Firefox plug -in store, more than 40 counterfeit plugins that mimic popular wallet applications such as Coinbase, Metamask and Trust Wallet were still online. Koi Securityto his report dated 2 July 2025 according to These add -ons secretly collect the identity information of the crypto currency wallet and put their assets at risk. Researchers have confirmed that the fake plug -in campaign has continued at least since April and that the new plug -ins were uploaded to the store last week. Hundreds of fake five -star comments give artificial confidence to add -ons.
Fake add -ons seized the firefox store
Add -ons Metamask It is offered in a legitimate image by copying the official logo and explanations of the leading crypto currency wallet services. In store search results, the number of downloads of the plug -ins with popular keywords is increasing rapidly. Although the browser interface resembles the real application when the installation is complete, the embedded Scripts capture special key and recovery expressions and send them to the attackers.
Koi Security reported that the harmful code has escaped automatic scan thanks to the hiding of the closed source Javascript modules. Add -ons, FirefoxBy abuse the permission management, he demands extensive networking rights and can capture the password in which the user enters every new tab. The victim, who thinks he has set up a single wallet plug -in, is actually the target of numerous script.

Traces of Russian attackers gave up
The report emphasized that there are comments in Russian language in PDF files hosted on command-control servers due to harmful plug-ins and source code notes. Security researchers said that these clues pointed to a Russian -speaking threat actor of the false plug -in campaign, but did not constitute certain evidence. Nevertheless, geographical clock stamps, file paths and error messages strengthen the findings by pointing to the same language.
More importantly, more than 60 versions have been installed since the first wave that started in April and the last harmful loading took place only a week ago. When the constantly updated add -ons detection signature appear, the name changes and re -broadcast and deletes their traces. Koi Security, Firefox StoreHe has not removed some copies of some copies and advised users to increase the plug -in only through directly referred from official sites.
Responsibility Rejection: The information contained in this article does not contain investment advice. Investors should be aware that crypto currencies carry high volatility and thus risk and carry out their operations in line with their own research.