In a startling revelation that highlights the persistent threats in the digital realm, a widespread campaign targeting cryptocurrency users has been uncovered. Dubbed “GreedyBear,” this sophisticated operation has leveraged more than 150 malicious extensions within the Mozilla Firefox marketplace, designed to mimic popular cryptocurrency wallets and pilfer over $1 million (₹8.5 crores) in digital assets from unsuspecting victims. Security researchers have identified a novel technique employed by the threat actors, known as “Extension Hollow,” which allows them to bypass security safeguards and exploit user trust.
Fake Wallets and Clever Tactics
The deceptive browser add-ons meticulously impersonate well-known cryptocurrency wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet. According to Tuval Admoni, a researcher at Koi Security, these seemingly legitimate extensions are far from innocuous. Instead of attempting to slip malicious code past initial reviews, the attackers first build portfolios of seemingly harmless extensions. Later, once these extensions have gained a degree of trust and user adoption, the malicious capabilities are secretly activated. This insidious approach allows the fake wallets to operate undetected for a significant period, increasing their potential for widespread harm.
Stealing Credentials and Expanding Reach
The primary function of these fake extensions is to capture sensitive wallet credentials entered by users. This information is then silently transmitted to an attacker-controlled server. Additionally, the extensions gather victims’ IP addresses, potentially for tracking and further malicious activities. This campaign is believed to be an expansion of a previous operation known as “Foxy Wallet,” which involved approximately 40 similar malicious extensions for Firefox.
FCRF Launches India’s Premier Certified Data Protection Officer Program Aligned with DPDP Act
Beyond Browser Extensions: A Broader Threat
The methods employed by the GreedyBear actors extend beyond the Firefox marketplace. Researchers have also discovered links to campaigns distributing malicious software through various Russian websites known for offering cracked and pirated software. These campaigns deploy information stealers and ransomware, further endangering cryptocurrency users. Furthermore, the attackers have established fraudulent websites posing as legitimate cryptocurrency products and services, including wallet repair tools. These fake sites aim to trick users into divulging their wallet credentials or payment details, leading to credential theft and financial fraud. Koi Security was able to connect these diverse attack methods to a single threat actor through the identification of a common command-and-control server located at the IP address 185.208.156[.]66.
AI Involvement and Cross-Platform Expansion
Adding another layer of concern, analysis of the malicious extensions suggests that artificial intelligence (AI)-powered tools may have been used in their creation. Alarmingly, evidence suggests that this campaign is not limited to Firefox. A Google Chrome extension named Filecoin Wallet has been discovered utilizing the same command-and-control server and similar techniques for stealing credentials. This cross-platform expansion signifies a significant evolution in the scope of this threat, transforming it into a multi-platform credential and asset theft campaign supported by a substantial infrastructure of malware and scam operations.