Organized cryptocurrency credential theft attacks targeting Google Chrome and Mozilla Firefox users have been consecutively detected, raising an emergency in the security industry. These attacks, which began in earnest from April 2025, have been ongoing for about three months, with 45 malicious Firefox extensions already confirmed. These malicious codes, exploiting user trust, have been found to extract cryptocurrency wallet information through sophisticated camouflage strategies.
The attack was carried out through browser extensions impersonating major cryptocurrency wallets such as MetaMask, Coinbase, Trust Wallet, Phantom, OKX, and Ethereum Wallet. According to Yuval Ronen, a researcher at Koi Security, these extensions duplicated actual open-source code and inserted malicious logic to disguise themselves as functioning normally. At the moment a user enters wallet information, that information is transmitted to the attacker's remote server, with the victim's IP also being tracked.
The attackers induced trust by manipulating familiar brand logos, high user ratings, and existing reviews. Created to be visually indistinguishable from legitimate extensions, it is difficult for ordinary users to identify their malicious nature. The campaign's impact was further amplified by targeting platforms widely used in cryptocurrency communities.
In fact, Coinbase previously announced that an insider hacking incident in May resulted in the personal information of approximately 70,000 customers being leaked. At the time, attackers even sent direct threat messages to victims via email, resulting in a form of *digital kidnapping*. While the US Treasury's Office of Foreign Assets Control (OFAC) and the Financial Action Task Force (FATF) are responding to the increase in cryptocurrency crimes, numerous users remain exposed to such threats.
Koi Security warned that when installing browser extensions, users must only select verified publishers and check the entire functionality and permissions before installation. Additionally, security managers within organizations need to continuously monitor for ownership transfers or abnormal operation signs after installation.
Meanwhile, global cryptocurrency hacking damages in the first half of 2025 have already exceeded $2.2 billion (approximately 3.058 trillion won). Suggestions have emerged that in addition to individual user caution, browser manufacturers and extension marketplace surveillance capabilities need to be strengthened. Currently, expanding user security awareness and adhering to wallet information protection guidelines are considered the best defense.
Real-time news...Go to Token Post Telegram
<Copyright ⓒ TokenPost, Unauthorized Reproduction and Redistribution Prohibited>
