Fake Wallet Extensions Are Stealing Your Keys — Even With 4.9 Ratings

LeeMaimaiLeeMaimai
/Jul 23, 2025
Fake Wallet Extensions Are Stealing Your Keys — Even With 4.9 Ratings

Key Takeaways

• Over 40 fake wallet extensions have been discovered on Firefox, mimicking MetaMask, Coinbase, and Phantom with identical branding and fake reviews.

• These malicious plugins steal users’ private keys and IPs by injecting malicious logic into real wallet codebases — making them hard to detect.

• Many victims installed these plugins believing they were safe, simply due to high ratings and familiar design — highlighting a dangerous trust blindspot.

• To protect yourself: only install extensions via official wallet websites, never input seed phrases in extensions, and prefer offline/hardware wallets for sensitive operations.

• In Web3, your tools aren’t neutral — they’re part of the attack surface. Question everything, even the “trusted” ones.

Almost no one questions a browser extension with a 4.9 rating — especially when its name and icon look exactly like the official version. But in recent months, these “official-looking” extensions have quietly been stealing users’ private keys.

Security firm Koi disclosed a months-long malicious extension campaign targeting those who believe that installing an extension means they’re safe. This time, attackers didn’t fake websites — they disguised themselves as the very wallet tools you trust most.

Over 40 Fake Wallet Extensions, Some Still Online

According to the report, more than 40 fake wallet extensions have been uploaded to the Firefox add-on store, some of which are still available. These plugins mimic popular wallets like MetaMask, Coinbase, and Phantom, with identical icons, names, and even fake 5-star reviews.

Once installed, they silently intercept users’ seed phrases and private keys when visiting wallet websites, sending the data to attacker-controlled servers while also recording IP addresses for tracking.

Since many of these extensions are built using the official open-source codebase with only minor malicious changes, they appear to function normally — making the risk hard to detect.

This campaign has been active since at least April 2025, and is still ongoing. Attackers are systematically exploiting extension ecosystems and user trust, turning browser plugins into high-privilege, stealthy phishing tools.

And in a world where crypto wallets increasingly rely on browsers for connectivity and signing, this threat is dangerously underestimated.

How to Protect Yourself

This incident reminds us that extension ratings and appearances are no longer reliable signs of trust. A safer approach is:

  • Always download extensions from official wallet websites — never from search results or third-party links;
  • Avoid entering seed phrases or private keys in online environments like browser extensions;
  • Regularly check and remove unused or suspicious extensions;
  • Perform critical operations using offline mobile or hardware wallet devices, to avoid exposing private keys to high-risk environments.

Your Tools Are Part of the Attack Surface

This may only be one corner of a much larger attack landscape. As extension permissions grow and user awareness lags, we must re-examine the cost of default trust.

In Web3, your tools are part of the attack surface — not neutral intermediaries.

Stay cautious. Don’t let a “trusted” extension become the backdoor to your assets.

Secure Your Crypto Journey with OneKey

View details for OneKey ProOneKey Pro

OneKey Pro

Touch. Scan. Own It.

View details for OneKey Classic 1SOneKey Classic 1S

OneKey Classic 1S

Pocket-Light, Bank-Tight.

View details for OneKey SifuOneKey Sifu

OneKey Sifu

Crypto Clarity—One Call Away.

Keep Reading