Cybersecurity researchers have uncovered a large-scale campaign with malicious extensions for the Firefox browser that were stealing access keys to users' crypto wallets.
Cybersecurity researchers have uncovered a large-scale campaign with malicious extensions for the Firefox browser that were stealing access keys to users' crypto wallets.
According to The Hacker News, more than 40 malicious browser add-ons imitated well-known cryptocurrency services, including: MetaMask, Coinbase Wallet, Trust Wallet, Phantom, Exodus, OKX, MyMonero, and others. The attackers copied the design and names of the real applications, sometimes even using open source code, to which they added their own malicious functionality.
Users who installed such extensions were at risk of having their seed phrases, private keys, and even IP addresses stolen. All stolen data was sent to the hackers’ servers. One of the malicious modules remained available in the Mozilla Add-ons directory even after the others were removed (it was a fake MyMonero Wallet).
To increase trust, the attackers massively inflated fake five-star reviews that exceeded the number of active installations, as well as using Russian-language comments in the source code. Also, metadata from a PDF file from the C2 server indicates a Russian-speaking group.
What is particularly worrying is that these extensions operate inside the browser, making them difficult to detect by traditional antiviruses.
Mozilla has already announced the development of an early detection system for suspicious crypto extensions, which should prevent their spread in the future.
Experts advise checking extension authors, avoiding unknown publishers, and being especially careful with finance-related apps.
We previously wrote about how YouTube continues its aggressive fight against ad blockers: the latest update closes existing loopholes, including in Firefox. Viewers complain, but the platform does not give up: either ads or subscriptions.
Comment hidden for violating commenting rules.