Alerte sécurité : Les utilisateurs de Firefox ciblés par des attaques d’extensions de portefeuille malveillantes

Les pirates informatiques redoublent d'ingéniosité pour siphonner les cryptos. Cette fois, ce sont les extensions de portefeuille sur Firefox qui sont dans leur ligne de mire.

Comment ça marche ? Des extensions en apparence légitimes - mais bourrées de code malveillant - volent les clés privées dès que les utilisateurs signent une transaction. Une combine vieille comme le web, mais qui marche encore trop bien.

Les victimes ? Principalement des nouveaux venus dans la DeFi, peu familiers avec les bonnes pratiques de sécurité. Une aubaine pour les escrocs, alors que le marché montre des signes de reprise.

Ironie du sort : ces attaques surviennent alors que Firefox se targue d'être le navigateur 'le plus sécurisé' pour les cryptos. Preuve que même les géants de la tech peuvent avoir des failles - surtout quand les utilisateurs cliquent avant de réfléchir.

Le conseil du jour ? Vérifiez trois fois chaque extension avant de l'installer. Et comme dirait un vieux de la finance traditionnelle : 'Si c'est trop beau pour être vrai, c'est probablement une arnaque... sauf en bull market, où tout le monde se croit invincible.'

Firefox fake extensions target the most widely used wallets

Koi intercepted fake apps for some of the most widely used wallet extensions, including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. 

The researchers discovered over 40 apps posing as wallets, with new ones appearing. Some of the fake wallets are still active on unofficial links. According to researchers, the fake apps started spreading around April 2025. 

The extensions extract and send out wallet extensions, reaching a server controlled by the attacker. The apps also transmit the user’s ip address for tracking and further targeting. 

Attackers cloned the open-source code of legitimate wallets

The attack was relatively simple, often using the legitimate wallet code for open-source projects like MetaMask. The fake apps then injected the malicious code to allow the wallet to steal data and credentials. 

The fake wallet apps were active on app stores, using the same logos and style as the original wallet. Previously, faked wallets have targeted specific niche projects, but this time, the attacker spoofed multi-asset wallets, widely used for DeFi, trading, nft and other on-chain tasks. 

Code analysis concluded the attack most likely originated from Russia, as Russian-language code comments were discovered in some of the apps. Metadata from a file on one of the command-and-control servers also points to a Russian attacker.

Koi advices users to install an allow list filter and avoid downloading apps without vetting. Some of the apps may not show problems, but later update and change their behavior. Security researchers also advice against searching apps directly, as the results may point to fake wallets with deliberately inflated five-star reviews. The best approach is to use the wallet’s official web page or social media. 

Users were also advised to be skeptical when seeing an app with too many five-star reviews, that were artificially placed to make the app seem established and legitimate. 

KEY Difference Wire: the secret tool crypto projects use to get guaranteed media coverage