Two recent discoveries by cybersecurity specialists remind crypto owners of the need to be cautious even when using legitimate services and products such as Firefox and macOS.
Security specialists at Koi Security said they've found more than forty malicious Firefox browser extensions, designed to steal crypto wallet credentials. The extensions impersonate popular crypto services such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Bitget, Ethereum Wallet, and more.
According to Koi, the campaign, active since at least April 2025, is still ongoing. Some extensions can still be found and installed on the Firefox marketplace, while the most recent ones were uploaded to the store just last week. A Russian-speaking criminal is suspected to be behind the campaign.
"This campaign leverages common marketplace trust mechanisms like ratings, reviews, branding, and functionality to gain user trust and increase installation rates," the researchers said.
Moreover, in several cases, the criminals cloned real codebases of open-source extensions and inserted their own malicious logic.
Therefore, besides installing extensions only from verified publishers, Koi Security also suggests treating browser extensions as full software assets that need to be vetted and monitored. Using an extension allowlist that blocks unwanted extensions and constantly monitoring extensions for malicious auto-updates might also help.
Meanwhile, in a separate story, cybersecurity researchers from SentinelLABS said they've discovered another campaign targeting crypto-related businesses. It is attributed to North Korean threat actors who use Nim-compiled binaries and multiple attack chains to steal crypto assets. It's being carried out via common social engineering tactics such as tricking potential victims into using malicious video call links.
"This campaign leverages common marketplace trust mechanisms like ratings, reviews, branding, and functionality to gain user trust and increase installation rates,"
the researchers said.
Looking into previous cases reported earlier this year, the researchers found that the payloads they analyzed, besides other elements, also contain a signal-based persistence mechanism previously unseen in macOS malware.
According to SentinelLABS, criminals keep using cross-platform languages that make the work of analysts more complicated.
"At the same time, the attackers take full advantage of macOS’s built-in scripting capabilities" and find ways to defeat security measures.
"Earlier this year, we saw threat actors utilizing Nim as well as Crystal, and we expect the choice of less familiar languages to become an increasing trend among macOS malware authors due both to their technical advantages and their unfamiliarity to analysts," the researchers said, encouraging peers "to invest effort in understanding these lesser-known languages and how they will eventually be leveraged."
Your email address will not be published. Required fields are markedmarked