Fake Wallet Extension Scam Puts Millions of Crypto Users at Risk

New Fake Wallet Extension Puts Funds at Risk

A dangerous blow of Fake wallet extension has strike the internet, attacking users of popular digital currency platforms like MetaMask, Coinbase, Trust, Phantom, OKX, Kepler, Exodus, MyMonero, Bitget, Leap, Ethereum and Filfox etc. 

Source: X

These are being distributed through the Firefox add-ons store and are created to steal crypto credentials. Once installed a fake wallet extension, it silently exfiltrates secrets to remote servers, putting users' assets at immediate risk. 

With more than 40 malicious Fake wallet extension already connected to the campaign, the threat is serious, stealthy and still active. 

The Attack Strategy: How Malicious Add-ons Steal  Data 

The malicious Fake wallet extension were designed to act like real crypto strorage tools. If once these are installed, the extensions quietly collect sensitive wallet information from the users. It includes private keys and login credentials.

The stolen data is transferred to a remote server operated by the attackers. These  also track user’s external IP addresses to monitor or even target users based on their geographic location. 

It is an intended and highly sophisticated operation that leverages individual’s trust in browser add-ons. 

Trusted Ratings, Fraud Security: How users were Tricked 

One of the most alarming tactics used in this campaign is review manipulation. Most of these malicious activities carried hundreds of fake5-star reviews, far beyond what their real user base could justify. 

This wrong sense of popularity and credibility led many individual’s to download them without thinking of it once.

Source: Koi 

Moreover, the cyber attackers copied the official branding by using the same names, logos and user interfaces as authorized  providers. This visual likeness made it even harder for users to differntiate between real and pirate. 

In many cases, the attackers went one step further, they transcribed open-source code from real tools and injected their own malicious logic, making the add-on function just like the unedited while secretly looting credentials in the background. 

Rogue Plugins Keep Popping Up

The threat campaign has been live since April 2025 and new fake wallet extensions continue to emerge on the Firefox add-ons store. In fact, uploads were seen as recently as last week. 

Source: Koi 

This clearly shows that the operation behind these are still alive and evolving. Many of these malicious extensions remain available in public marketplaces, waiting to be installed by unsuspecting users. 

Who’s Behind the attack?

Although, attribution remains inconclusive several clues point to a Russian-speaking threat actor , it includes-

• Russian-language comments embedded in the Fake wallet extension 

• Metadata in a PDF file recovered from a command and control server used in the campaign. 

Not definitive, these indicators suggest that the campaign may originate from a group of Russian-speaking cybercriminals. 

$2.47B Stolen — More to Come?

As of 2024, around $2.3billion crypto has been stolen and now only six months have passed by 2025, and it exceeds the amount of cryptocurrencies  around $2.47 billion which have been stolen. If it goes this way, then there is a higher chance of an increase in the number of scams. Most probably, if precautions wouldn’t be taken, the number might double and reach scams of $5 billion cryptocurrency, as six months are still left of the year 2025.

How to stay safe: Koi Security’s Recommendations 

Koi Security, the firm behind the investigation, offers  the following tips:

• Install extensions only from the verified publishers

• Even with high ratings, treat any extension with caution. 

• Use an allowist to permit only pre-approved extensions. 

• Treat browser add-ons as software requiring full vetting and monitoring. 

• Recognize that fake wallet extensions may update silently and change behavior post-installation. 

These steps are essential for identifying and blocking a Fake wallet extension before it causes harm. 

Conclusion: A wake-up call for the Crypto and Browser ecosystem 

The beginning of it is a clear message for all crypto users. These threats hide in plain sight, pretending to be trustworthy tools. 

Staying wide awake, downloading only established extensions and monitoring them constantly is the key to avoiding a fake wallet extension attack. 

Online safety starts with cautious clicks!