40 Malicious Firefox Extensions Caught Stealing Crypto Wallet Data

Recently, a huge cybersecurity event has seen the appearance of over forty browser extensions on the Add-ons store of Mozilla’s Firefox. As per SlowMist and Koi Security, the aforementioned more than forty malicious Firefox extensions have reportedly engaged in stealing cryptocurrency wallet credentials concerning Trust Wallet, Coinbase, and MetaMask. The blockchain security platforms provided the details of the respective data-stealing event.

More than Forty Malicious Firefox Extensions Secretly Stealing Crypto Wallet Credentials

The data points out that more than forty malicious Firefox browser extensions have been stealing Trust Wallet, Coinbase, and MetaMask’s cryptocurrency wallet credentials. This development has reportedly been operating since April and is still ongoing. In this respect, many of these fake extensions are even now downloadable. The browser extensions appear to be trusted crypto wallets. However, they are fake and just focus on stealing wallet credentials.

In line with the reports, the wallet extensions impersonate prominent wallets like MyMonero, Keplr, OKX, Phantom, Trust Wallet, Coinbase Wallet, and MetaMask wallets. The respective clones illegally copy wallet codebases as well as embed malicious scripts for the silent extraction of the wallet credentials of users. This information includes private keys and seed phrases. Following the theft of these credentials, the above-mentioned malicious extensions exfiltrate them to attacker-driven servers.

Along with that, the malware also collects the user’s IP address, which enables more targeting or profiling. The threat actors at the back of the campaign utilize the marketplace trust indicators to trick users. Hence, they mimic wallet branding, taking into account logos and memes. Hence, they add numerous extensions with forged 5-star reviews. This increases the reputation of these extensions for the unsuspecting consumers, pushing them to download such harmful extensions.

Blockchain Security Platforms Advise Consumers to Verify and Observe Extensions

A crucial trick utilized in the campaign includes the cloning of the wallet repositories that are open-source. Apart from that, the attackers also add malicious logic to the cloned repositories. This lets fake extensions operate normally to stealthily take away data, increasing difficulty in detection. As a result of this, Koi Security and SlowMist advise enterprises and users to just install verified extensions and avoid depending just on reviews or ratings. Moreover, the users are also persuaded to constantly observe extension behavior because updates can alter functionality without taking consent from the consumers.