GreedyBear has swindled $1 million in cryptocurrency by employing over 150 harmful Firefox wallet extensions.

A newly discovered campaign, dubbed GreedyBear, has leveraged over 150 malicious extensions in the Firefox marketplace, designed to impersonate popular cryptocurrency wallets and steal more than $1 million in digital assets. The published browser add-ons masquerade as MetaMask, TronLink, Exodus, and Rabby Wallet, among others, as reported by Koi Security researcher Tuval Admoni. What makes this activity notable is the threat actor’s use of a technique called Extension Hollowing to bypass safeguards implemented by Mozilla and exploit user trust. Rather than attempting to sneak malicious extensions past initial reviews, the attackers build legitimate-seeming extension portfolios first and then weaponise them later when scrutiny is reduced.

To achieve their goals, the attackers create a publisher account in the marketplace, upload innocuous extensions with no actual functionality to sidestep initial reviews, and post fake positive reviews to create an illusion of credibility. They then modify the extensions to include malicious capabilities designed to capture wallet credentials entered by unsuspecting users and exfiltrate them to an attacker-controlled server. The campaign is assessed to be an extension of a previous iteration called Foxy Wallet, which involved publishing at least 40 malicious browser extensions for Mozilla Firefox with similar objectives. Additionally, the GreedyBear actors have set up scam sites posing as cryptocurrency products and services, further tricking users into parting with their wallet credentials or payment details, resulting in credential theft and financial fraud.