Threat actors employed approximately 150 malicious Firefox extensions to steal cryptocurrency wallet credentials, resulting in an estimated one million dollars stolen from victims. This scheme, identified as “GreedyBear” by Koi Security, operated by impersonating legitimate cryptocurrency wallet extensions within the Firefox add-ons store.
The malicious extensions initially appeared as benign cryptocurrency wallet tools. Attackers uploaded these extensions with branding consistent with established platforms, including MetaMask, TronLink, and Rabby. These initial versions also accumulated fabricated positive reviews to enhance their perceived legitimacy. Subsequently, the attackers modified these extensions by altering names and logos, then injected malicious code. This transformation converted the extensions into keyloggers.
The compromised extensions were designed to capture form field inputs entered by users. Additionally, these malicious extensions logged the external IP addresses of victims. Information gathered by these keyloggers was subsequently transmitted to servers controlled by the attackers. Mozilla has since removed the identified malware from the Firefox add-ons store, as reported by Bleeping Computer.
Researchers have also identified a potential expansion of the GreedyBear campaign into the Chrome web store. This possible expansion is linked to an extension named Filecoin Wallet. Users are advised to exercise caution before installing browser extensions. Recommended precautions include reviewing user comments beyond star ratings, examining the version history of the extension, and investigating other projects associated with the developer for any suspicious activity.
For cryptocurrency wallet extensions specifically, a more secure method than searching directly within browser add-on stores involves navigating to the official website of the cryptocurrency project. Legitimate extensions are typically linked directly from these official project websites, providing a verified source for installation.
