A new crypto theft campaign has compromised the security of Firefox users, exploiting over 40 malicious browser extensions designed to mimic legitimate crypto wallets. Security firm KOI and blockchain threat intelligence company SlowMist jointly uncovered the sophisticated operation, which targeted unsuspecting users by disguising wallet apps like Rabby, MetaMask, and Phantom as trusted browser add-ons.
The discovery, first detailed in KOI’s official report, has sparked urgent warnings across the cybersecurity community. With more than $500,000 in stolen assets linked to the campaign, the attack reveals how browser-based deception remains a serious vector for crypto-related cybercrime.
How the Crypto Theft Scam Operated
The crypto theft strategy was based on social engineering. Victims were lured into installing fake wallet extensions via phishing pages and fraudulent update prompts. Once installed, these clones silently captured seed phrases, private keys, and transaction data — granting attackers full control over the user’s funds.
The malicious extensions operated under the guise of popular wallets, displaying identical UI elements and prompting users to “restore” accounts. The stolen credentials were then transmitted to attacker-controlled servers in real time, allowing for rapid fund drainage.
The scam was remarkably broad in scope. According to SlowMist’s breakdown on X (formerly Twitter), it targeted multiple chains including Ethereum, BNB Chain, and Tron. The perpetrators also implemented evasion techniques, such as disabling extension visibility in Firefox’s internal settings, making the malware harder to detect.
Why Firefox Became the Entry Point
One of the most alarming aspects of this crypto theft campaign is the exclusive focus on Firefox. While Chrome often dominates headlines for extension-based exploits, Firefox’s more permissive extension environment may have given attackers an easier path to distribution.
Unlike Chrome, which requires strict verification for web store listings, Firefox extensions can be side-loaded or distributed through off-platform links. This allowed the malicious actors to bypass store review processes entirely.
Though Mozilla has not yet issued a public comment, cybersecurity experts are urging the browser provider to tighten extension review protocols and improve security prompts for users installing third-party tools.
Lessons for Users and Wallet Developers
This attack highlights the ongoing challenge of protecting users from crypto theft in a browser-first world. While hardware wallets and mobile apps are generally safer, many users still rely on browser extensions for daily DeFi activity — leaving them exposed to sophisticated scams like this.
Wallet providers are now being advised to invest more heavily in anti-phishing tech, including official domain detection, update verification, and built-in seed phrase warnings.
For users, the key takeaway is simple: never install wallet extensions from unofficial links. Always verify the developer source and avoid entering recovery phrases unless prompted directly by a wallet app downloaded from a known, verified platform.
Final Thoughts: What This Crypto Theft Campaign Means for Firefox Security
This latest crypto theft campaign should serve as a wake-up call for both browser developers and crypto users. With over 40 malicious extensions detected and a growing pool of victims, the need for proactive wallet hygiene and stronger browser security has never been clearer.
As the Web3 ecosystem expands, so too will the tactics used by attackers. Firefox’s role in this breach highlights that even trusted platforms can be vulnerable if users and developers aren’t vigilant. The battle against phishing and wallet clones continues — but so does the community’s ability to respond, share intel, and protect one another.
