150 Crypto-Draining Extensions Found in Firefox Add-On Store
▼ Summary
– A crypto-draining scheme called ‘GreedyBear’ targeted Firefox users via 150 malicious extensions, stealing $1 million by impersonating wallets like MetaMask.
– The extensions initially bypassed Mozilla’s review, then transformed to include malicious code that harvested wallet credentials and IP addresses.
– The campaign is linked to Russian-language pirated software sites distributing 500+ malware variants, including info-stealers and ransomware.
– Attackers used AI-generated code to evade detection and rapidly rebuild operations, with evidence of expansion to Chrome’s Web Store.
– Users should verify extensions, download wallets from official sources, and remain vigilant as attackers refine tactics.
A recent security investigation has uncovered a widespread crypto-draining scheme targeting Firefox users through malicious browser extensions. Dubbed ‘GreedyBear,’ the operation infiltrated Mozilla’s add-on store with 150 fraudulent extensions, siphoning an estimated $1 million from victims by impersonating legitimate cryptocurrency wallets like MetaMask and TronLink.
Security researchers at Koi Security found that these extensions initially appear harmless to bypass Mozilla’s review process. Once approved, they undergo a sinister transformation—developers strip away original branding, replace it with deceptive names and logos, and inject malicious code designed to harvest sensitive data. The malware functions as a keylogger, capturing wallet credentials entered by users and transmitting them to attacker-controlled servers along with victims’ IP addresses.
The campaign doesn’t stop at browser extensions. It’s linked to a network of Russian-language pirated software sites distributing over 500 malware variants, including info-stealers like LummaStealer and ransomware. Fake websites mimicking Trezor and Jupiter Wallet further amplify the threat, all connected to a single command-and-control server (185.208.156.66).
Though Mozilla has removed the reported extensions, the incident highlights how cybercriminals leverage automation to scale attacks rapidly. Analysis of the malicious code reveals AI-generated elements, enabling attackers to evade detection and rebuild operations swiftly after takedowns. This follows another recent Firefox store breach involving 40 counterfeit wallet extensions, despite Mozilla’s 2025 safeguards against crypto-draining add-ons.
Worryingly, evidence suggests the group may be expanding to Chrome’s Web Store. Researchers identified a malicious Chrome extension, “Filecoin Wallet,” using identical data-theft techniques and communicating with the same C2 server.
To stay protected, users should verify extensions by checking publisher details and reading multiple reviews. Always download wallet software directly from official project websites or trusted store listings. While Mozilla and Google have been alerted to the campaign, vigilance remains critical as attackers refine their tactics.
(Source: Bleeping Computer)
