A newly discovered campaign dubbed GreedyBear has leveraged over 150 malicious extensions to the Firefox marketplace that are designed to impersonate popular cryptocurrency wallets and steal more than $1 million in digital assets.
The published browser add-ons masquerade as MetaMask, TronLink, Exodus, and Rabby Wallet, among others, Koi Security researcher Tuval Admoni said.
What makes the activity notable is the threat actor’s use of a technique that the cybersecurity company called Extension Hollowing to bypass safeguards put in place by Mozilla and exploit user trust. It’s worth noting that some aspects of the campaign were first documented by security researcher Lukasz Olejnik last week.
“Rather than trying to sneak malicious extensions past initial reviews, they build legitimate-seeming extension portfolios first, then weaponize them later when nobody’s watching,” Admoni said in a report published Thursday.
To achieve this, the attackers first create a publisher account in the marketplace, upload innocuous extensions with no actual functionality to sidestep initial reviews, post fake positive reviews to create an illusion of credibility, and modify their innards with malicious capabilities.
The fake extensions are designed to capture wallet credentials entered by unsuspecting users and exfiltrate them to an attacker-controlled server. It also gathers victims’ IP addresses for likely tracking purposes.
The campaign is assessed to be an extension of a previous iteration called Foxy Wallet that involved the threat actors publishing no less than 40 malicious browser extensions for Mozilla Firefox with similar goals in mind. The latest spike in the number of extensions indicates the growing scale of the operation.
The fake wallet cryptocurrency draining attacks are augmented by campaigns that distribute malicious executables through various Russian sites that peddle cracked and pirated software, leading to the deployment of information stealers and even ransomware.
The GreedyBear actors have also found setting up scam sites that pose as cryptocurrency products and services, such as wallet repair tools, to possibly trick users into parting with their wallet credentials, or payment details, resulting in credential theft and financial fraud.
Koi Security said it was able to link the three attack verticals to a single threat actor based on the fact that the domains used in these efforts all point to a lone IP address: 185.208.156[.]66, which acts as a command-and-control (C2) server for data collection and management.
There is evidence to suggest that the extension-related attacks are branching out to target other browser marketplaces. This is based on the discovery of a Google Chrome extension named Filecoin Wallet that has used the same C2 server and the underlying logic to pilfer credentials.
To make matters worse, an analysis of the artifacts has uncovered signs that they may have been created using artificial intelligence (AI)-powered tools. This underscores how threat actors are increasingly misusing AI systems to enable attacks at scale and at speed.
“This variety indicates the group is not deploying a single toolset, but rather operating a broad malware distribution pipeline, capable of shifting tactics as needed,” Admoni said.
“The campaign has since evolved the difference now is scale and scope: this has evolved into a multi-platform credential and asset theft campaign, backed by hundreds of malware samples and scam infrastructure.”
Ethereum Drainers Pose as Trading Bots to Steal Crypto
The disclosure comes as SentinelOne flagged a widespread and ongoing cryptocurrency scam that entails distributing a malicious smart contract disguised as a trading bot in order to drain user wallets. The fraudulent Ethereum drainer scheme, active since early 2024, is estimated to have already netted the threat actors more than $900,000 in stolen profits.
“The scams are marketed through YouTube videos which explain the purported nature of the crypto trading bot and explain how to deploy a smart contract on the Remix Solidity Compiler platform, a web-based integrated development environment (IDE) for Web3 projects,” researcher Alex Delamotte said. “The video descriptions share a link to an external site that hosts the weaponized smart contract code.”
The videos are said to be AI-generated and are published from aged accounts that post other sources’ cryptocurrency news as playlists in an effort to build legitimacy. The videos also feature overwhelmingly positive comments, suggesting that the threat actors are actively curating the comment sections and removing any negative feedback.
One of the YouTube accounts pushing the scam was created in October 2022. This either indicates that the fraudsters slowly and steadily boosted the account’s credibility over time or may have purchased it from a service selling such aged YouTube channels off Telegram and dedicated sites like Accs-market and Aged Profiles.
The attack moves to the next phase when the victim deploys the smart contract, after which the victims are instructed to send ETH to the new contract, which then causes the funds to be routed to an obfuscated threat actor-controlled wallet.
“The combination of AI-generated content and aged YouTube accounts available for sale means that any modestly-resourced actor can obtain a YouTube account that the algorithm deems ‘established’ and weaponize the account to post customized content under a false pretext of legitimacy,” Delamotte said.
