Cryptocurrency-focused cyberattacks are constantly evolving, and cybercriminals have recently come out with a new wave of wallet-draining mechanisms. These cyberattacks target users through two major vectors: malicious Firefox extensions and sophisticated Mac malware, cybersecurity firms SlowMist and Sentinel Labs report.
Over 40 fake browser extensions impersonating popular, and generally well-reputed, crypto wallets for Mozilla Firefox, including MetaMask, Coinbase Wallet, and Phantom. These fake extensions go the extra mile to trick users into a false sense of security, mimicking branding, inflating reviews, and even cloning open-source code to genuinely appear legitimate. Finally, once downloaded, they silently steal wallet credentials of unsuspecting users.
Meanwhile, Mac users are being targeted by a new iteration of sophisticated social engineering, delivered through messaging apps like Telegram. They then send users a fake Zoom update that installs NimDoor malware, which then logs users’ keystrokes, steals data, and infiltrates crypto wallets.
To be truly safe, your best bet is to entirely avoid browser-based wallets, always verify all software sources, and opt for non-custodial wallets like Best Wallet. Best Wallet is built differently: it’s a mobile-only crypto wallet, with no official browser extension, making it completely immune to these types of attacks.
Malicious Firefox Extensions Are Stealing Crypto Wallets
A large-scale malware campaign has been discovered involving over 40 fake Firefox extensions posing as legitimate crypto wallets. Cybersecurity firm Koi Security has confirmed that this campaign has been ongoing since at least April 2025.
These plugins impersonate trusted names in the crypto space, including MetaMask, Coinbase, Phantom, and Trust Wallet, tricking users into handing over their most sensitive credentials like their private keys and seed phrases.
To gain the trust of users, the threat actors filled the extension download pages with fake five-star reviews, familiar branding, and inflated download figures. Some of these extensions are still live on the Firefox Add-ons store, with new malicious extensions even being added just last week, suggesting an active, evolving operation. Researchers suspect that a Russian-speaking threat group may be behind the campaign, due to Russian-language comments in the extension code and metadata found in a PDF file retrieved from a command server used in the operation.
It’s hard to be certain that any browser extension is safe, but users should generally vet every install and avoid fully trusting branding or ratings alone. When it comes to crypto wallets, mobile-only solutions are typically far harder to impersonate and a safer solution overall.
Mac Malware Targets Crypto Users with Fake Zoom Updates
If this wasn’t enough, Mac users are now being targeted by a sophisticated malware campaign with links to North Korean state-sponsored threat actors.
Cybersecurity firm Sentinel Labs discovered that the attacks begin with social engineering via platforms like Telegram, impersonating someone that the victim is likely to trust. They then lure the victim into downloading a malicious file, under the guise of a routine software update, typically a fake Zoom update.
Once executed, the file installs NimDoor, a stealthy malware written in an obscure programming language.
NimDoor acts as a “full-featured infostealer,” logging keystrokes, recording screens, stealing browser passwords, and extracting crypto wallet data. In order to avoid being detected by security tools, it also delays activation by several minutes. Another variant, CryptoBot, focuses specifically on infiltrating browser wallet extensions.
This campaign highlights a growing trend: macOS is not necessarily “safer by default” as many have believed. State-funded hacker groups are now aggressively targeting Apple devices with tailored malware designed to drain crypto wallets. Extra caution is crucial, especially when you’re handling crypto assets on macOS.
Why Best Wallet Keeps You Safer in Times of Cyberattacks
In a time when fake browser extensions and sophisticated malware are actively targeting crypto users, products like Best Wallet stand out by design.
Best Wallet is a mobile-only non-custodial wallet, meaning there’s no official browser extension, completely eliminating a major attack vector. If you see a browser add-on pretending to be Best Wallet, you can assume it’s fake.
On top of that, Best Wallet uses MPC (Multi-Party Computation) security, the same advanced tech trusted by big institutions, to protect your private keys without ever storing them in a single place.
Download the official Best Wallet app to stay ahead of the hacks and social engineering.
Editorial Process for bitcoinist is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
