It was part of a highly sophisticated campaign that’s used more than 40 counterfeit Firefox extensions to go after cryptocurrency users. This extended over a dozen popular crypto wallet tools. Cybersecurity researchers lament that the operation spread potentially unwanted programs through fake browser extensions. They suspect it could be tied to a Russian-speaking cybercriminal proxy.

According to a blockchain security firm currently probing the incident, the malicious activity was tracked to a server connected to their database in the Netherlands. Additional investigation revealed Russian language scripts in the attackers’ toolkit, adding to the case that a Russian-speaking actor was behind the operation.

These fake extensions looked real, with hundreds of fake five-star reviews, usually far more than they had actual users. This tactic had them appearing like they were very popular and reputable members of the Mozilla Add-ons ecosystem. As such, they had to cheat duped users into downloading their products.

Now installed, the extensions are presumably stealing private keys, tracking cryptocurrency transactions, and injecting malicious code into websites. Without improved security and privacy enforcement, we would risk having our cryptocurrency assets and user sensitive data stolen.

The finding emerges just months after another suspected Russia-linked cryptocurrency phishing attack was reported. That fraud used phony Zoom meeting links to steal millions of dollars in cryptocurrency. This past incident is a stark reminder of the very real and ongoing threat that bad actors have in attempting to infiltrate the crypto space.

Security professionals have urged users to utilize two-factor authentication on their crypto wallets and accounts. Enabling it is an easy way to protect your account with an added layer of security, making it harder for attackers to access your account without permission.

Keeping software up to date, including web browsers and browser extensions, is important too. Many of those updates are security patches that fix vulnerabilities used by malware to gain access to your system.

Cybersecurity experts have cautioned users to be wary of any browser extension they install, including those that appear to have good reviews. Always check to ensure that it is a legitimate developer and pay careful attention to the permissions that extension is requesting.

Most of these fake extensions have HUNDREDS of fake five-star reviews. We hope this serves as a cautionary tale not to depend on user ratings alone when assessing the safety of browser extensions. Cybercriminals continue to use more advanced strategies to trick users and avoid detection.

The clues all lead back to a likely Russian-language actor operating the op. Russian-language scripts suggest a correlation to earlier, known, Russia-related scams. This evidence indicates to us that a well-resourced, advanced threat group is executing with even greater discipline and coordination.