Cyber-security firm Koi Security has uncovered an active campaign involving more than 40 malicious extensions in Mozilla’s Firefox Add-ons Store that imitate widely used cryptocurrency wallets, including MetaMask, Coinbase Wallet and Trust Wallet. The fake plug-ins replicate the branding and, in some cases, the open-source code of the legitimate tools, then siphon off users’ seed phrases and transmit victims’ IP addresses to a remote server. Researchers say the operation has been running since at least April 2025, with new extensions uploaded as recently as last week. Many listings featured hundreds of fabricated five-star reviews to appear trustworthy, helping the malware evade detection and draw fresh installs. Mozilla has removed most of the identified extensions and said its recently introduced early-detection system is designed to block similar scams before they gain traction. Security analysts advise users to install browser add-ons only from verified publishers and to audit existing extensions regularly, noting that some rogue plug-ins may still be live.