More than 40 fake extensions in Firefox’s official add-ons store are impersonating popular cryptocurrency wallets from trusted providers to steal wallet credentials and sensitive data.
Some of the extensions pretend to be wallets from Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero, and include malicious code that sends stolen information to attacker-controlled servers.
Fake wallet extensions on the Firefox add-ons store
Source: BleepingComputer
Researchers at Koi security found the risky extensions along with evidence indicating that behind the campaign is a Russian-speaking threat group.
In a report shared with BleepingComputer, the researchers say that many of these browser add-ons are clones of open-source versions of legitimate wallets with added malicious logic.
Koi security presents examples of ‘input’ and ‘click’ event listeners in the code, which monitor for sensitive data inputs from the victim.
Malicious code snippets in the extensions
Source: Koi Security
The code checks for input strings that are longer than 30 characters to filter for realistic wallet keys/seed phrases, and exfiltrates the data to the attackers.
... continue reading