FoxyWallet Scam: 40+ Firefox Extensions Exposed

Superex 18/07/2025 18:23

FoxyWallet Scam: 40+ Firefox extensions exposed in a coordinated effort to siphon funds from MetaMask, Coinbase, and other crypto wallets.

This could be your shot: $4.2M up for grabs in the WOW2025 Grand Prix, including a Cybertruck for the top finisher. Registration closes July 15th!

Koi Security Research and the Alarming Scale of Crypto Wallet Fraud

Koi Security conducted an investigation and identified over 40 malicious extensions distributed via Mozilla Add-ons that mimicked the interface of popular wallets such as MetaMask, Coinbase, Trust Wallet, Exodus, OKX, and Phantom. The main goal was to intercept seed phrases and other critical user data. All intercepted data was sent to external C2 servers, while users continued to see a familiar interface, unaware of the data leak.

Koi Security began tracking the activity based on one such installation. The malicious extensions started collecting data immediately upon initialization, with event handlers monitoring user behavior on cryptocurrency wallet websites. They then automatically transmitted the entered values – including seed phrases – to a remote server controlled by the attacker. The victim’s external IP address was also recorded during startup, presumably for geofiltering or tracking purposes.

The same logic was executed across dozens of instances, leading Koi Security to conclude this was a centralized campaign using a shared codebase. Analysis of the embedded code also revealed minimized logic to avoid detection by automated analyzers.

Another notable aspect was that the attackers focused not only on technical and design factors but also actively manipulated trust mechanisms within the Firefox Add-ons ecosystem. Specifically, they ensured that most of the malicious extensions had hundreds of artificially inflated five-star reviews. In addition, they masked the malicious logic at the code level by cloning open-source versions of legitimate wallets and inserting their own malicious code.

Koi Security also stated that final attribution has not yet been confirmed, but technical indicators suggest the campaign may have originated from Russian-speaking sources. For instance, some extensions contained comments written in Russian. Researchers also extracted metadata from a PDF document hosted on a C2 server that included Russian-language elements.

Koi Security issued several recommendations for detecting fraudulent extensions:

  • Install extensions only from official and verified developers.
  • Use an allowlist and block the installation of any unverified extensions.
  • Implement continuous monitoring of installed extensions, including tracking for auto-updates and hidden behavior changes.
  • Apply full lifecycle security principles to browser assets, including regular audits, updates, access controls, and incident response.

They also released an IOC (Indicators of Compromise) list, including Firefox extensions such as: bitget-by-addon, bitget-by-addons, bitget-extension, btc-wallet, coinbasewallet, developer-trust, eth-for-edition, eth-wallet, ethereum-wallet, ethereum-wallet-crypto, fil-project, filfox, filfox-wallet, is-a-block-explorer, keplr-wallet, leap-wallet, metamask-addons, metamask-crypto-official, metamask-for-firefox, metamask-for-wallet, metamask-the-extension, metamasket, mew-wallet-ethereum-defi-web3, mymonero-wallet, official-metamask, official-metamask-wallet, okx-add, okx-addons, okx-wallet-extension, okx-wallet-extension1, phantom-ext-off, phantom-wallet-extension, trust-app, trust-application, trust-bestwallet, trust-cryp, trust-developer, trust-extension-wallet, trust-for-mozilla, trust-wallet-mozilla-add, wallet-for-bitcoin, wallet-for-trust-crypto-wallet, wallet-for-trust, wallet-metamask-crypto-wallet

Domains:

  • exodlinkbase[.]digital
  • avalancheproject[.]digital
  • allstexdev[.]world
  • suirokboys[.]digital

This could be your shot: $4.2M up for grabs in the WOW2025 Grand Prix, including a Cybertruck for the top finisher. Registration closes July 15th!

Conclusion

Security remains a critical concern that requires attention from both developers and users. An increasing number of incidents target not the systems themselves, as blockchain-based solutions are initially secure, but the people who build and operate them. From vulnerabilities in developer hiring to the exploitation of popular wallets, attackers continue to adapt.

Always stay vigilant and stay tuned for the latest updates and opportunities in the crypto, blockchain, and DeFi space.

Share to:

Author: Superex

This content is for informational purposes only and does not constitute investment advice.

Recommended Reading
18/07/2025 18:26
Ethereum at Berlinterop: fusaka-devnet-1, berlinterop-devnet-2 and Gas Limit Tests
18/07/2025 18:25
FBI Probes $250K Crypto Scam Targeting Trump Donor
18/07/2025 18:25
Mastercard and Chainlink Partnership and $3.1T in Digital Transactions on the Horizon
18/07/2025 18:25
CoinMarketCap Hit By Security Breach—MetaMask Now Flags Site as “Deceptive”
18/07/2025 18:25
USDC Now Live on XRP Ledger – More Chains, More Use Cases
18/07/2025 18:24
How USDT Laundered – BlockSec’s Breakdown

Popular Articles

Curated Series

New Project Selection: Capturing the New Narrative of Web3

Web3 has ushered in a period of great development, with new projects constantly emerging. This topic collects, organizes, and screens these new projects, hoping that readers can capture new narratives from them.