Key Findings

• Over 40 Firefox extensions part of the “FoxyWallet” campaign falsely mimicked popular cryptocurrency wallets.
• Malicious extensions impersonating Coinbase Wallet, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero were identified.
• FoyleWallets cloned legitimate wallet extension source code to embed malware, hoping to steal seed phrases or tracking IPs.
• A threat actor using Russian appears behind the operation, based on code comments and language clues.
• The campaign reportedly started as far back as April, with new variants appearing recently.

Analysis of the Malware Practice

According to cybersecurity researchers at Koi Security, the FoxyWallet malware leverages companion browser extensions that mimic leading crypto wallet applications. This deceptive tactic allows the extensions to behave normally, masking their illicit purpose.

Upon installing the malicious extension, attackers secretly harvest sensitive cryptocurrency wallet keys or seed phrases. The embedded code specifically looks for strings exceeding 30 characters—a proxy for likely real seed phrases—collecting and transmitting this classified information to control servers, potentially enabling fund theft. The malware explicitly sends the user’s external IP address for tracking purposes.

Koi Security elaborated that the threat actors gained an edge by exploiting the open-source nature of official Firefox extensions. By cloning authentic code bases and inserting malicious logic, they created convincing fakes.

Timeline and Persistence

Koi Security’s investigation indicates campaign activity dating back to at least April. Recent weeks saw newly uploaded malicious extensions, with some instances remaining listed on the Firefox Add-ons website as late as April 23rd despite Koi’s red flags. Mozilla’s involvement began when these researchers reported the issue through the platform’s designated security channel.

In response, Mozilla confirmed awareness of the threat “exploiting Firefox’s add-on ecosystem” through malicious crypto-focused extensions. They emphasized their commitment to swift countermeasures, having already preempted some FoxyWallet releases and continuing to monitor the situation to “protect users.” This demonstrates an “ongoing commitment” where identified vulnerabilities are under review.

A “Cat and Mouse Game”

Mozilla’s Add-ons Operations Manager, Andreas Wagner, noted the persistent challenge in a recent blog post. During FoxyWallet’s concealment and propagation, malware developers aimed to utilize “hundreds” of scams,with many potentially lingering over years. As stated, the environment fosters a “constant cat and mouse game,” requiring constant vigilance and adaptation on Mozilla’s part to counter ever-evolving scams and bypass detection measures.

Recommendations for Users

Given the risks posed by FoxyWallet and comparable threats, user precautions are crucial:

• Whenever possible, obtain and install software—including browser extensions—from verified, official sources.
• Consider extensions as software assets that should meet specific security standards before deployment.
• Employ an extension allow list to ensure that only components explicitly vetted and pre-approved by security standards can install automatically.
• Implement continuous monitoring for known malicious entities, rather than relying on one-time periodic scans for safety.

Further Information

At the time of publication, contact has been made with Mozilla regarding these findings. Decrypt anticipates updating this report upon receiving responses.