Since April 2025, a growing series of false cryptocurrency wallet extensions, collectively called “FoxyWallet”, have made their way into the Firefox Add on store. Appearing as well-known brands like MetaMask, Coinbase, Trust Wallet, and Phantom, these impostors use cloned open source code with malicious payloads. As a result, users’ seed phrases and private keys are captured and siphoned away by attackers, probably a Russian speaking threat group, allowing them to drain crypto assets from there on out.
A Coordinated Scam Since April
Koi Security has linked over 40 fake wallet extensions to this campaign, noting that new versions appear almost weekly. These impersonators provide users with the expected wallet interface to distract them from submitting sensitive inputs—such as seed phrases longer than typically longer than 30 characters—and then used to transmit the phrase with the user’s IP to attackers server.
How Trust Is Fabricated
The scam employs a variety of means to create false legitimacy:
- Identical branding: they use legitimate names, and logos from genuine wallets.
- Fake five star reviews: Inflated review counts far exceed real installation figures, misleading users.
- Open source tactics: The clones maintain normal functionality but embed malicious code—a low effort, high impact strategy.
As a result, users reviewing the browser interface see what appears to be a safe, well rated extension, unaware that a silent attacker is harvesting credentials.
Who’s Behind the Mask?
Malware analysis showed comments in Russian, and a command and control PDF with metadata suggests links to Russian speaking group. Attribution is still preliminary, however, the multilingual footprint suggests a potentially more coordinated effort.
Mozilla’s Defensive Steps
Mozilla implemented a new “early detection” defense on June 3, assigning risk profiles to add ons and flagging suspicious submissions for human review. That measure has led to the removal of many offending extensions, yet at least seven still linger in the store as of early July.
A Mozilla spokesperson confirmed that the company continues to refine its systems and pull down malicious extensions swiftly once identified.
Broader Implications: Beyond Browser Scams
The FoxyWallet scandal is just one facet of a broader crypto fraud landscape. Hardware wallet scams, fake Ledger Live clones, and physical phishing campaigns—like USPS sent QR code letters—are also emerging threats. In the first half of 2025 alone, wallet breaches have yielded more than $1.7 billion in losses.
Staying Safe: Practical Advice
Bundled Apps: Extensions, add-ons, or apps are often bundled with software that you are installing. Caution should be practiced because you may be installing other potentially unwanted software.
To protect yourself from these threats, experts suggest:
- Check publisher identity: Download from the published wallet website and not a search engine.
- Monitoring ratings and install counts: Are there high ratings and not many installs? The difference in rating and installs can be very misleading.
- Vet open source clones very carefully: A legitimate extension being a clone is not a guarantee-it must come from verifiable sources.
- Treat extensions as critical software assets: Apply policies, allowlists, and ongoing scrutiny to browser extensions—just like apps on your phone or desktop.
Final Word
The FoxyWallet embers of extortion provide a strong reminder that even trusted platforms like Firefox can be compromised. The convenience offered by browser crypto access comes with inherent risk and once an attacker obtains your seed phrase, there is nearly no way to reverse the situation. Although vigilance rewarded by verifiable sources with cautious extension use is your greatest defense in a hacked world where cybercriminals can easily mimic legitimacy.
