Close Menu
Cybercrime and Ransomware

150 Crypto-Draining Extensions Flood Firefox Add-Ons!

Staff WriterBy No Comments4 Mins Read2 Views

Top Highlights

  1. A malicious campaign named ‘GreedyBear’ has infiltrated the Mozilla add-ons store, deploying 150 fake extensions designed to steal cryptocurrency wallet credentials, resulting in losses of around $1,000,000.

  2. The extensions initially appear benign, accumulating fake positive reviews before being modified to incorporate malicious code that captures user data via keyloggers and sends it to the attackers’ servers.

  3. Koi Security discovered that the operation utilizes AI to enhance the scalability and evasion tactics of cybercriminals, enabling rapid recovery from takedowns and indicating potential expansion plans to the Chrome Web Store.

  4. To protect against similar threats, users are advised to verify extension details and read multiple reviews before installation, and to access official wallet extensions directly from project websites.

The Issue

The insidious campaign known as ‘GreedyBear’ has infiltrated the Mozilla add-ons store, targeting unsuspecting Firefox users with a staggering 150 malicious extensions, resulting in an estimated theft of $1 million. This operation, meticulously uncovered by Koi Security, has been executed by cybercriminals who initially disguise their extensions as legitimate cryptocurrency wallet tools, such as MetaMask and TronLink. After gaining acceptance into the store, these extensions garner fake positive reviews, only to later undergo a sinister metamorphosis where their branding is altered, and harmful code is integrated to capture sensitive wallet credentials and IP addresses.

As detailed by Koi Security’s Tuval Admoni, the malicious extensions act as keyloggers, effectively siphoning user input directly from their interfaces and transmitting this data to remote servers controlled by the perpetrators. The breadth of this attack is further augmented by a myriad of Russian-speaking pirated software websites disseminating diverse malware, all of which funneled through a centralized command-and-control hub. Despite Mozilla’s attempts to mitigate such threats through detection systems implemented in June 2025, the persistence and adaptability of the GreedyBear operators underscore a concerning trend in cybercrime facilitated by emerging technologies. BleepingComputer is actively seeking responses from both Mozilla and Google regarding ongoing protective measures against such campaigns, underlining the urgency for users to exercise precaution when navigating browser add-ons.

Risk Summary

The insidious ‘GreedyBear’ campaign poses grave risks that extend far beyond the immediate financial losses inflicted on individual victims; it has the potential to destabilize the broader ecosystem of digital commerce, eroding consumer trust and jeopardizing businesses reliant on the security and integrity of digital transactions. As these malicious extensions masquerade as legitimate cryptocurrency wallet tools, they not only pilfer sensitive information but also tarnish the reputations of well-established brands cited in their impersonation, leading to diminished user confidence across various platforms. This precarious situation could result in a ripple effect, where concerned users withdraw from engaging with online financial services altogether, thus diminishing transaction volumes for legitimate businesses and potentially driving them to severe financial distress. Moreover, as the threat landscape evolves with the integration of AI to facilitate rapid attack scaling, organizations must brace themselves for increased scrutiny and the climbing costs of cybersecurity investments, further complicating their operational landscapes. In essence, the ‘GreedyBear’ campaign serves as a stark reminder of how a single malicious initiative can catalyze broader repercussions, underlining the imperative for robust digital safeguards and vigilant real-time monitoring across the digital economy.

Possible Next Steps

The recent surge of crypto-draining extensions infiltrating the Firefox add-on store underscores the critical necessity for prompt remedial actions to safeguard users’ assets and privacy.

Mitigation Strategies

  1. Immediate Removal: Promptly identify and eliminate malicious extensions from the store.
  2. User Alerts: Issue warnings to users regarding the compromised extensions.
  3. Code Review: Conduct thorough reviews of existing extensions to identify vulnerabilities.
  4. Enhanced Verification: Implement stricter vetting processes for new submissions.
  5. User Education: Promote awareness of potential threats associated with browser extensions.

NIST CSF Guidance
NIST’s Cybersecurity Framework emphasizes the importance of identifying and mitigating risks associated with unauthorized software. For detailed procedures, refer to NIST Special Publication 800-53, which provides comprehensive safeguards and practices tailored to bolster security measures.

Stay Ahead in Cybersecurity

Discover cutting-edge developments in Emerging Tech and industry Insights.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.