Cybersecurity researchers at Koi Security have uncovered a sophisticated cybercriminal operation dubbed GreedyBear that successfully infiltrated Mozilla’s Firefox browser ecosystem. The campaign resulted in cryptocurrency theft exceeding $1 million through the deployment of 150 malicious browser extensions designed to mimic legitimate crypto wallets.
Two-Stage Attack Strategy Bypasses Security Measures
The GreedyBear operation employed a carefully orchestrated deception strategy to circumvent Mozilla’s security infrastructure. Initially, cybercriminals uploaded extensions to the official Firefox Add-ons store without any malicious functionality. This approach enabled the malware to pass automated security scans while accumulating positive user reviews and establishing credibility within the platform.
During the second phase, attackers executed a complete transformation of these seemingly legitimate extensions. They replaced original branding elements, including names and logos, before injecting data-stealing malicious code targeting popular cryptocurrency wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet.
Technical Analysis of the Malicious Code
The embedded malware functioned as a sophisticated keylogger designed to capture user keystrokes across various input fields. The malicious code monitored form submissions and popup window interactions, specifically targeting sensitive information including wallet recovery phrases and authentication passwords. Captured data was immediately transmitted to attacker-controlled command and control servers.
Additionally, the malware collected IP address information from infected systems, enabling threat actors to perform geolocation tracking and develop targeted attack strategies against specific victims.
Infrastructure Analysis Reveals Broader Criminal Network
Comprehensive analysis of the GreedyBear infrastructure revealed operations extending far beyond Firefox’s extension marketplace. Security researchers identified a network of dozens of Russian-language websites distributing pirated software embedded with malicious payloads connected to the same criminal operation.
The threat actors also established fraudulent websites impersonating official platforms for Trezor and Jupiter Wallet, alongside fake hardware wallet repair services. Investigation revealed all these malicious resources connected to a central command server located at IP address 185.208.156[.]66.
Artificial Intelligence Integration Raises Concerns
Security experts identified evidence of artificial intelligence utilization within the GreedyBear campaign, representing a concerning evolution in cybercriminal capabilities. AI integration allows threat actors to significantly accelerate operational scaling, diversify malicious payloads, and enhance evasion techniques against security detection systems.
Chrome Browser Users Face Potential Threat Expansion
Researchers have issued warnings regarding potential campaign expansion targeting Chrome Web Store users. A suspicious extension identified as “Filecoin Wallet” for Chrome browsers demonstrates identical data theft methodologies and communicates with the same command infrastructure used in the Firefox attacks.
Mozilla Response and Enhanced Security Measures
Following notification from Koi Security, Mozilla immediately removed all identified malicious extensions from their official marketplace. In June 2024, the company implemented an enhanced early detection system specifically designed to identify fraudulent cryptocurrency extensions. This system creates risk profiles for wallet-related extensions and automatically alerts security moderators about potential threats.
The GreedyBear campaign demonstrates the evolving sophistication of cryptocurrency-focused cyber threats and highlights the critical importance of extension verification before installation. Users should exclusively download crypto wallets from official developer websites and regularly audit installed extensions for suspicious activity. Implementing comprehensive digital security practices remains essential for protecting cryptocurrency assets against modern cyber attacks.
