FoxyWallet Scam: 40+ Firefox Extensions Exposed

Blockchain 2025-07-18 18:23

FoxyWallet Scam: 40+ Firefox extensions exposed in a coordinated effort to siphon funds from MetaMask, Coinbase, and other crypto wallets.

This could be your shot: $4.2M up for grabs in the WOW2025 Grand Prix, including a Cybertruck for the top finisher. Registration closes July 15th!

Koi Security Research and the Alarming Scale of Crypto Wallet Fraud

Koi Security conducted an investigation and identified over 40 malicious extensions distributed via Mozilla Add-ons that mimicked the interface of popular wallets such as MetaMask, Coinbase, Trust Wallet, Exodus, OKX, and Phantom. The main goal was to intercept seed phrases and other critical user data. All intercepted data was sent to external C2 servers, while users continued to see a familiar interface, unaware of the data leak.

Koi Security began tracking the activity based on one such installation. The malicious extensions started collecting data immediately upon initialization, with event handlers monitoring user behavior on cryptocurrency wallet websites. They then automatically transmitted the entered values – including seed phrases – to a remote server controlled by the attacker. The victim’s external IP address was also recorded during startup, presumably for geofiltering or tracking purposes.

The same logic was executed across dozens of instances, leading Koi Security to conclude this was a centralized campaign using a shared codebase. Analysis of the embedded code also revealed minimized logic to avoid detection by automated analyzers.

Another notable aspect was that the attackers focused not only on technical and design factors but also actively manipulated trust mechanisms within the Firefox Add-ons ecosystem. Specifically, they ensured that most of the malicious extensions had hundreds of artificially inflated five-star reviews. In addition, they masked the malicious logic at the code level by cloning open-source versions of legitimate wallets and inserting their own malicious code.

Koi Security also stated that final attribution has not yet been confirmed, but technical indicators suggest the campaign may have originated from Russian-speaking sources. For instance, some extensions contained comments written in Russian. Researchers also extracted metadata from a PDF document hosted on a C2 server that included Russian-language elements.

Koi Security issued several recommendations for detecting fraudulent extensions:

  • Install extensions only from official and verified developers.
  • Use an allowlist and block the installation of any unverified extensions.
  • Implement continuous monitoring of installed extensions, including tracking for auto-updates and hidden behavior changes.
  • Apply full lifecycle security principles to browser assets, including regular audits, updates, access controls, and incident response.

They also released an IOC (Indicators of Compromise) list, including Firefox extensions such as: bitget-by-addon, bitget-by-addons, bitget-extension, btc-wallet, coinbasewallet, developer-trust, eth-for-edition, eth-wallet, ethereum-wallet, ethereum-wallet-crypto, fil-project, filfox, filfox-wallet, is-a-block-explorer, keplr-wallet, leap-wallet, metamask-addons, metamask-crypto-official, metamask-for-firefox, metamask-for-wallet, metamask-the-extension, metamasket, mew-wallet-ethereum-defi-web3, mymonero-wallet, official-metamask, official-metamask-wallet, okx-add, okx-addons, okx-wallet-extension, okx-wallet-extension1, phantom-ext-off, phantom-wallet-extension, trust-app, trust-application, trust-bestwallet, trust-cryp, trust-developer, trust-extension-wallet, trust-for-mozilla, trust-wallet-mozilla-add, wallet-for-bitcoin, wallet-for-trust-crypto-wallet, wallet-for-trust, wallet-metamask-crypto-wallet

Domains:

  • exodlinkbase[.]digital
  • avalancheproject[.]digital
  • allstexdev[.]world
  • suirokboys[.]digital

This could be your shot: $4.2M up for grabs in the WOW2025 Grand Prix, including a Cybertruck for the top finisher. Registration closes July 15th!

Conclusion

Security remains a critical concern that requires attention from both developers and users. An increasing number of incidents target not the systems themselves, as blockchain-based solutions are initially secure, but the people who build and operate them. From vulnerabilities in developer hiring to the exploitation of popular wallets, attackers continue to adapt.

Always stay vigilant and stay tuned for the latest updates and opportunities in the crypto, blockchain, and DeFi space.

Share to:

This content is for informational purposes only and does not constitute investment advice.

OXProtocol
Recommended Reading
2025-09-30 20:40
Chainlink and Swift Partner on Landmark Breakthrough for Tokenized Funds
2025-09-30 17:20
SEC Signals Green Light for DePIN Projects and RWA Tokenization
2025-09-29 22:40
Qatar’s Biggest Bank Just Went Blockchain With J.P. Morgan
2025-09-29 18:40
Global Banking Giants Back SWIFT’s Blockchain Pivot with ConsenSys
2025-09-29 00:40
ASTER Sets New Standard in DeFi Trading With $42B Daily Volume
2025-09-28 22:40
BNB Chain Dominates Weekly User Rankings as Rivals Struggle

Popular Articles

Curated Series

SuperEx Popular Science Articles Column

SuperEx Popular Science Articles Column

This collection features informative articles about SuperEx, aiming to simplify complex cryptocurrency concepts for a wider audience. It covers the basics of trading, blockchain technology, and the features of the SuperEx platform. Through easy-to-understand content, it helps users navigate the world of digital assets with confidence and clarity.
How do beginners trade options?How does option trading work?

How do beginners trade options?How does option trading work?

This special feature introduces the fundamentals of options trading for beginners, explaining how options work, their main types, and the mechanics behind trading them. It also explores key strategies, potential risks, and practical tips, helping readers build a clear foundation to approach the options market with confidence.

What are the risks of investing in cryptocurrency?

What are the risks of investing in cryptocurrency?

This special feature covers the risks of investing in cryptocurrency, explaining common challenges such as market volatility, security vulnerabilities, regulatory uncertainties, and potential scams. It also provides analysis of risk management strategies and mitigation techniques, helping readers gain a clear understanding of how to navigate the crypto market safely.
Bitcoin historical price data and trends

Bitcoin historical price data and trends

This special feature gathers multiple articles on Bitcoin’s historical price data, analyzing past trends, market cycles, and key events that shaped its value. It also explores factors influencing price movements, providing readers with insights into Bitcoin’s long-term performance and market patterns.
Detailed Illustrated Guide to Contract Trading

Detailed Illustrated Guide to Contract Trading

This collection, "Detailed Illustrated Guide to Contract Trading," explains the fundamentals of contract trading, including futures and margin trading. It uses clear illustrations to simplify key concepts, risk management strategies, and order types, making it accessible for both beginners and experienced traders.