GreedyBear: $1M Crypto Heist via 150+ Malicious Firefox Extensions

Top Highlights

1. GreedyBear Campaign: A new cyber campaign, GreedyBear, has exploited over 150 malicious Firefox extensions masquerading as popular cryptocurrency wallets to steal over $1 million in digital assets through a technique called Extension Hollowing.

2. Methodology: Attackers create seemingly legitimate extensions, then weaponize them post-approval by submitting innocuous versions first, posting fake positive reviews, and modifying them to capture users’ wallet credentials for exfiltration.

3. Broader Reach: The campaign is linked to a previous operation and has expanded to target other platforms like Google Chrome, utilizing a shared command-and-control server for credential theft while also deploying malicious executables via Russian sites.

4. AI Misuse: Some of the attacking artifacts show signs of development with AI tools, highlighting a trend where threat actors leverage advanced technologies to rapidly scale and adapt their operations for credential and asset theft.

Underlying Problem

The newly uncovered GreedyBear campaign has exploited over 150 malicious extensions on the Firefox marketplace, cleverly masquerading as popular cryptocurrency wallets—such as MetaMask and TronLink—resulting in the theft of more than $1 million in digital assets. Reported by Koi Security researcher Tuval Admoni, this sophisticated operation employs a technique known as Extension Hollowing, where the attackers create seemingly benign extensions to bypass Mozilla’s review processes before reconfiguring them for malicious intents. This campaign is an extension of a prior effort called Foxy Wallet, which similarly targeted users by tricking them into revealing critical wallet credentials and gathering IP addresses for tracking. The breadth of GreedyBear’s efforts, now spanning multiple platforms, underscores a troubling trend where threat actors leverage artificial intelligence to enhance and accelerate their malicious operations.

Compounding the cybersecurity landscape is a parallel fraudulent scheme involving Ethereum drainer attacks, which are disguised as trading bots and have already netted over $900,000 since their inception in early 2024. According to researcher Alex Delamotte, this scam is disseminated through AI-generated YouTube videos that promote the false utility of a smart contract. These videos, generated from aged accounts that project credibility, instruct users to deploy the malicious contracts, ultimately rerouting funds to attacker-controlled wallets. The interwoven nature of these threats illustrates not only the sophistication of malicious actors employing AI and social engineering tactics but also highlights the urgent necessity for heightened vigilance and preventive measures within digital spaces.

Potential Risks

The emerging GreedyBear campaign, marked by its deployment of over 150 malicious extensions masquerading as popular cryptocurrency wallets, poses substantial risks not only to individual users but also to businesses and organizations relying on digital transactions. As these extensions leverage sophisticated techniques like Extension Hollowing to exploit user trust, they diminish confidence in the integrity of browser marketplaces, potentially deterring users from engaging in legitimate transactions and thus affecting the revenue streams of compliant businesses. The cascading effects of compromised credentials can lead to significant financial losses, eroded brand reputations, and plague organizations with regulatory scrutiny, particularly in a climate where digital asset management is increasingly scrutinized. Moreover, the campaign’s ability to infiltrate various browser platforms signals a potentially wider susceptibility within digital ecosystems, urging businesses to reassess their cybersecurity measures and user education practices in a landscape rife with evolving threats.

Possible Next Steps

The urgency surrounding cyber threats necessitates immediate action, particularly in cases like the $1 million theft of cryptocurrency through over 150 malicious Firefox wallet extensions by GreedyBear.

Mitigation Strategies

1. User Education: Train users on recognizing and avoiding malicious extensions.
2. Extension Audits: Regularly review and audit installed wallet extensions for legitimacy.
3. Browser Security: Ensure that browser security settings are enhanced and monitored.
4. Incident Response: Establish a rapid response team to address breaches as they occur.
5. Software Updates: Consistently update browsers and wallets to patch vulnerabilities.
6. Two-Factor Authentication: Implement 2FA for cryptocurrency accounts to add an extra layer of security.
7. Threat Intelligence Sharing: Collaborate with cybersecurity organizations to stay informed about emerging threats.

NIST CSF Guidance
NIST’s Cybersecurity Framework (CSF) emphasizes the necessity of identifying, protecting, detecting, responding, and recovering from cybersecurity incidents. For comprehensive guidelines on managing risks related to browser extensions, refer to NIST Special Publication 800-53, which outlines security and privacy controls to ensure organizational integrity in the face of evolving cyber threats.

Stay Ahead in Cybersecurity

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1