On Wednesday, July 2, cybersecurity company Koi Security released a report stating that over 40 fake extensions developed for the popular browser Mozilla Firefox have been linked to an ongoing cryptocurrency theft malware operation.

It is reported that this large-scale phishing operation has deployed extensions disguised as mainstream wallet tools such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, MyMonero, and Bitget. Once users install these malicious extensions, they will steal their wallet credentials.

Koi Security stated, "As of now, we have associated over 40 different extensions with this operation, and the attack is still ongoing."

Koi Security pointed out that this operation has been underway since at least April of this year, with the latest batch of extensions uploaded last week. The report indicates that these extensions directly steal wallet credentials from targeted websites and upload them to remote servers controlled by the attackers.

The report shows that the operation enhances the credibility of the extensions through fake ratings, reviews, impersonated brand images, and functional disguises. One application even has hundreds of fake five-star reviews.

These fake extensions also use the same names and logos as real services. In multiple cases, threat actors have cloned applications using the open-source code of official extensions and implanted malicious code: "This low-investment, high-return method allows attackers to maintain the expected user experience while reducing the risk of immediate detection."

Koi Security noted, "At present, attribution is uncertain," but "multiple signs point to Russian-speaking threat organizations." These signs include Russian comments in the code and metadata from PDF files obtained from related malware command and control servers: "While there is no conclusion yet, these traces suggest that the operation may originate from Russian-speaking threat organizations."

To reduce risk, Koi Security recommends that users only install browser extensions from verified publishers. Additionally, extensions should be treated as complete software assets, employing a whitelist mechanism and continuously monitoring for any abnormal behavior or updates.

Related: SOL News Update: REX Shares Solana ETF Boosts Prices, Can the Momentum Continue?

Original article: “Cryptocurrency Theft Operation Targets Firefox Users with Impersonated Wallet Extensions”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。