Full Report
Cybersecurity researchers have uncovered over 40 malicious browser extensions for Mozilla Firefox that are designed to steal cryptocurrency wallet secrets, putting users' digital assets at risk. "These extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox
Analysis Summary
# Tool/Technique: Malicious Firefox Extensions Targeting Cryptocurrency Wallets
## Overview
This refers to a large-scale campaign involving over 40 malicious browser extensions specifically targeting Mozilla Firefox users with cryptocurrency wallets. The purpose of these extensions is to impersonate legitimate wallet tools to steal user assets, specifically wallet keys and seed phrases, by exfiltrating them to a remote server.
## Technical Details
- Type: Malware (Browser Extension)
- Platform: Mozilla Firefox
- Capabilities: Impersonation of legitimate wallet tools, source code cloning, key/seed phrase extraction, data exfiltration (wallet secrets and IP addresses).
- First Seen: Campaign ongoing since at least April 2025.
## MITRE ATT&CK Mapping
*Note: Since the exact malicious code payload isn't detailed, the mapping focuses on the primary observed behaviors.*
- **TA0001 - Initial Access**
- T1588.001 - Obtain Capabilities: Supply Chain Compromise (Injecting malicious functionality into cloned legitimate software).
- **TA0009 - Collection**
- T1005 - Data from Local System: Input Capture (Harvesting credentials/phrases from targeted websites).
- T1005.001 - Browser Session Hijacking (Direct interaction with browser data/context).
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- T1048 - Exfiltration Over Alternative Protocol (Implied as data is sent to a remote server).
## Functionality
### Core Capabilities
- **Impersonation:** Creating extensions that mimic popular wallet tools (Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, Filfox) using identical names and logos.
- **Social Engineering:** Artificially inflating popularity with hundreds of 5-star reviews to present an illusion of authenticity and broad adoption.
- **Code Cloning:** Cloning the open-source code of legitimate wallet extensions and injecting malicious functionality.
### Advanced Features
- **Data Harvesting:** Actively monitoring targeted cryptocurrency websites to steal wallet keys and seed phrases upon user input or interaction.
- **Network Probing:** Transmitting the victim's external IP address along with the stolen credentials.
- **Evasion:** Operating within the user's browser environment ensures low-effort execution and reduced chances of immediate detection by traditional endpoint security tools.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [The context refers to the names of the legitimate wallet tools being impersonated.]
- Registry Keys: [Not applicable/provided for browser extensions directly, though profile data manipulation might occur.]
- Network Indicators: Data exfiltrated to a remote command-and-control (C2) server [Specific addresses defanged as they are not provided].
- Behavioral Indicators: Unusual data transmission from browser profiles, silent behavior changes in extensions post-installation, extensions transmitting external IP addresses.
## Associated Threat Actors
- Russian-speaking threat actor group (Inferred from Russian language comments in source code and metadata from C2 server).
## Detection Methods
- Signature-based detection: (Limited effectiveness as extensions often change; dependent on add-on store monitoring).
- Behavioral detection: Monitoring for extensions that silently initiate data collection or exfiltrate sensitive data/IP addresses from browser sessions.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- Install extensions only from verified publishers.
- Thoroughly vet extensions, ensuring they do not silently change their behavior post-installation.
- Mozilla is implementing a new system to flag and block scam cryptocurrency drainer add-ons early.
## Related Tools/Techniques
- Phishing scams (though these bypass traditional phishing reliance on fake websites/emails by operating inside the browser).
- Supply chain compromise focused on browser extensions.