|

GreedyBear’s $1M Crypto Heist: 150+ Malicious Firefox Wallet Extensions and How to Stay Safe

ByInnoVirtuoso

If you use a crypto wallet in your browser, stop and read this. A new campaign called “GreedyBear” slipped more than 150 malicious extensions into the Firefox marketplace and used them to steal over $1 million in digital assets. These fake add-ons impersonated big-name wallets like MetaMask, TronLink, Exodus, and Rabby Wallet—then quietly drained funds.

Here’s the twist: instead of trying to sneak bad code past reviewers, the attackers built clean, harmless extensions first, built up “trust” with fake reviews, and then weaponized them later. That technique—known as Extension Hollowing—lets them bypass safeguards and exploit user confidence.

If that makes your stomach drop a little, you’re not alone. In this guide, I’ll break down what happened, how the scam worked, who’s at risk, and the exact steps you can take right now to protect yourself and your team. We’ll also cover a related Ethereum “trading bot” drainer scam spreading via AI-generated YouTube videos. Let’s jump in.

What Is the GreedyBear Campaign?

GreedyBear is a large-scale malware operation that published over 150 malicious Firefox extensions designed to impersonate popular cryptocurrency wallets. The goal: capture user credentials and drain funds.

  • Impersonated brands: MetaMask, TronLink, Exodus, Rabby Wallet, and others.
  • Stolen funds: $1,000,000+ and growing.
  • Primary payload: credential theft and crypto draining.
  • Data exfiltrated: seed phrases/credentials and IP addresses to attacker-controlled servers.
  • Infrastructure: a command-and-control server identified at 185.208.156[.]66 links multiple attack vectors.
  • Reach beyond Firefox: evidence suggests the campaign is branching into other marketplaces (e.g., a Chrome extension impersonating Filecoin Wallet used similar logic and the same C2 server).

According to security researchers, including Tuval Admoni of Koi Security, some aspects of the operation were first flagged earlier, but the scale and strategy have since evolved. The operation also appears connected to an earlier campaign dubbed “Foxy Wallet,” which pushed at least 40 malicious Firefox extensions with similar goals.

For background on extension policies and review processes, see Mozilla’s documentation on add-ons and security policies: – Mozilla WebExtensions overviewMozilla add-on policies

How “Extension Hollowing” Works (and Why It’s So Effective)

Think of Extension Hollowing like a Trojan horse for the browser store.

1) Build credibility first
Attackers create a publisher account and upload harmless extensions that do little or nothing. They pass review easily.

2) Manufacture trust
They post fake positive reviews and ratings to make these extensions look safe and popular.

3) Weaponize later
After some time (and updates), the attackers replace or inject malicious code. Many users update automatically. Review teams typically focus on new submissions, not stealthy late-stage weaponization.

4) Harvest and exfiltrate
Once installed, the malicious extension captures credentials—seed phrases, keys, or passwords—then exfiltrates them to the C2 server (185.208.156[.]66). Some also log IP addresses for tracking.

Why this beats basic defenses: – Initial scans and reviews see clean code. – Users and algorithms trust older, well-rated extensions. – Small updates can slip under the radar, especially from “established” developers. – Social proof (reviews, age) lowers skepticism.

That’s the danger. It’s not a single sneaky add-on; it’s a pipeline designed to create legitimate-looking software and then flip the switch.

Who’s at Risk?

If you: – Installed a wallet extension on Firefox in recent months, – Installed a wallet extension from an unfamiliar publisher, – Relied on ratings/reviews as your main trust signal,

…you should assume elevated risk and audit your extensions immediately. Even if you installed from the official Mozilla Add-ons (AMO) store, a malicious extension can still slip through before it’s reported and blocked.

Note: Researchers found evidence of a similar “Filecoin Wallet” extension in the Chrome Web Store using the same infrastructure. While the initial wave focused on Firefox, Chrome and other Chromium-based browsers (Edge, Brave, Opera) could be targeted next. Review Chrome Web Store policies and be cautious: – Chrome Web Store policies

Indicators of Compromise (IoCs) and Red Flags

While the exact list of malicious extensions changes as stores remove them, here are warning signs:

  • A wallet extension that:
  • Suddenly asks for seed phrases in contexts where it shouldn’t.
  • Requests broad permissions (read/modify data on all sites) without clear need.
  • Appears under a publisher name that doesn’t match the official project.
  • Has glowing but generic reviews, often posted in a short time window.
  • Connections to suspicious infrastructure:
  • C2 server noted by researchers: 185.208.156[.]66 (flagging and reporting only; do not visit).
  • Unusual network behavior:
  • Frequent background requests to unknown domains.
  • Your wallet behaving oddly:
  • Sudden logout prompts, unexpected pop-ups, or prompts to “re-enter seed phrase” to fix an issue.

If you see any of the above, treat your device and wallet as compromised until proven otherwise.

How to Check Your Browser for Malicious Wallet Extensions

Take 10 minutes to do this now.

  • In Firefox:
  • Type about:addons in the address bar.
  • Inspect each extension’s:
    • Name and publisher: Does it exactly match the official wallet?
    • Permissions: Are they excessive?
    • Version/update history: Any recent updates you didn’t initiate?
    • Store listing link: Does it match the official site’s recommendation?
  • In Chrome/Brave/Edge:
  • Go to chrome://extensions (or edge://extensions / brave://extensions).
  • Toggle “Developer mode” and review the ID, source, and permissions.

If anything looks off: – Disable the extension immediately. – Remove it after you’ve completed the incident-response steps below. – Search the extension name plus “malware” or “scam” and check reputable sources for reports (e.g., The Hacker News).

You can also submit suspicious extensions for review or report abuse: – Report issues with Firefox add-onsMozilla Add-ons site

What To Do If You Installed a Fake Wallet Extension

Act fast. Minutes matter in crypto theft.

1) Disconnect and contain
– Disconnect the device from the internet. – Do not open the suspect extension again.

2) Move funds to safety
– On a separate, clean device, create a brand-new wallet with a fresh seed phrase. Never reuse the old seed. – Use a hardware wallet if possible for added isolation. – Transfer assets to the new wallet. Prioritize high-value assets first.

3) Revoke risky approvals
– Use a trusted tool to review and revoke token approvals and allowances: – revoke.cash – Be wary of look-alike sites.

4) Secure your environment
– Scan the affected device with reputable tools (e.g., built-in Windows Security, or a trusted anti-malware solution). – Remove the malicious extension and any unknown software. – Consider a full OS reinstall if sensitive credentials were exposed.

5) Rotate credentials
– If you entered your seed phrase or private key anywhere, treat it as compromised. Never reuse it. – Update passwords and enable 2FA on related accounts (email, exchanges, password managers).

6) Document and report
– Keep transaction hashes and addresses involved. – Report the incident: – Wallet vendor support pages (e.g., MetaMask security & phishing FAQ, Exodus security help) – Marketplace (Mozilla/Chrome) – Crypto-specific reporting portals like Chainabuse – Local authorities if required for insurance or legal follow-up.

Here’s why that matters: reporting creates a paper trail, helps marketplaces remove threats faster, and may aid in fund-tracing efforts.

Prevention: Smart Habits for Individuals and Teams

Good security is a stack of small, consistent habits. These will drastically reduce your risk.

  • Extension minimalism
  • Fewer extensions = smaller attack surface.

  • If you don’t need it this month, uninstall it.

  • Trust but verify

  • Only install from official links listed on the wallet’s website or GitHub.
  • Confirm the publisher name matches exactly.

  • Treat store reviews as marketing, not security.

  • Permission hygiene

  • Review requested permissions before installing or updating.

  • Be skeptical of “read and change data on all websites.”

  • Update discipline

  • Auto-updates are helpful, but critical wallet extensions may warrant manual update review.

  • Subscribe to your wallet vendor’s security announcements.

  • Separate profiles and devices

  • Use a dedicated browser profile (or separate browser) for crypto activities.

  • Keep a clean device for wallet management only, ideally paired with a hardware wallet.

  • Network checks

  • If you’re technical, monitor outbound connections from the browser.

  • Consider DNS filtering or a security gateway to block known bad infrastructure.

  • Organizational controls (for teams and DAOs)

  • Use managed browser policies to allowlist approved extensions only.
  • Maintain a software bill of materials (SBOM) for extensions in use.
  • Train staff on phishing and extension risks (include hands-on drills).
  • Add EDR and network controls to block malicious domains/IPs swiftly.

For general anti-phishing guidance, CISA maintains practical resources: – CISA: Protect Yourself Against Phishing

The AI Angle: How Attackers Scale Faster Now

Researchers found signs that GreedyBear artifacts may have been built with AI-powered tools. That tracks with what we’re seeing more broadly: AI lowers the barrier for creating convincing fake listings, synthetic reviews, and code variations that evade duplicate detection.

We’re also seeing AI used to mass-produce credible video and voice content. In fact, a related crypto theft campaign uses AI-generated YouTube videos to push a malicious “trading bot” smart contract. SentinelOne estimates the Ethereum drainer scheme has netted over $900,000 in stolen funds since early 2024.

  • The scam flow:
  • AI-generated videos explain how to deploy a “profitable trading bot” on the Remix IDE.
  • Video descriptions link to external sites hosting weaponized contract code.
  • The YouTube accounts are aged (sometimes purchased) to appear legitimate and tamp down skepticism.
  • Victims deploy the smart contract and send ETH, which routes funds to an attacker wallet.

Read more from SentinelOne’s research team: – SentinelLabs research hub

Bottom line: AI supercharges social engineering and content production. It doesn’t “invent” new scams—but it makes old ones bigger, faster, and more convincing.

How to Vet a Wallet Extension Like a Pro

Before installing or updating any wallet extension:

1) Start from the official source
– Find the extension link only via the wallet’s main website or verified GitHub. Don’t rely on search results alone.

2) Verify the publisher
– Publisher name should match the wallet team exactly. If in doubt, contact support or check their official community channels.

3) Compare versions
– Cross-check the version number on the store with the official changelog or GitHub releases.

4) Check permissions
– For wallets, broad permissions may be necessary, but “read/change all site data” demands high scrutiny. If permissions jumped unexpectedly on an update, wait and ask.

5) Look beyond reviews
– Reviews can be faked. Check activity history, external discussions (Reddit, Discord, Twitter), and reputable security blogs.

6) Scan URLs and domains
– If the extension or its docs link to weird domains, walk away. Consider checking URLs with Google Safe Browsing or scanning files with VirusTotal.

What Are Platforms Doing—and What Should They Do Next?

Mozilla and Google both operate review pipelines and blocklists. Attacks like GreedyBear show that post-review weaponization is the pain point—not initial screening.

  • Existing platform controls:
  • Code signing, policy enforcement, and user reports.

  • Blocklists for known-bad extensions:

  • Needed improvements (industry-wide):

  • Behavioral analysis of updates, not just static code checks.
  • Heavier scrutiny of permission changes between versions.
  • Publisher reputation tied to verified org identities, not disposable accounts.
  • Faster community-report triage and transparent advisories.
  • Stronger “provenance” for source code (reproducible builds, attestation).

These aren’t quick fixes, but they’re the direction we need to go.

Do Hardware Wallets Keep You Safe?

Hardware wallets help a lot—but they’re not magic shields. They protect private keys by keeping them off your computer. However:

  • If you import a seed phrase into a malicious extension, a hardware wallet can’t protect that compromised seed.
  • Interface-level tricks (fake prompts, spoofed transactions) can still lead you to approve malicious actions if you’re not careful.
  • Always read what the hardware device displays before approving.

Use a hardware wallet plus good hygiene (verified extensions, revoke risky approvals, separate profiles), and your risk drops significantly.

The Bigger Picture: Crypto Security Is a Supply Chain Problem

GreedyBear is a classic example of modern supply chain risk: – Attackers compromise trust upstream (marketplaces, reviews, content platforms). – They weaponize reputation (old accounts, aged extensions, fake ratings). – Victims get hit downstream (your browser, your wallet, your funds).

The fix isn’t one tool or one policy. It’s a layered defense—platform controls, user hygiene, transparent vendor practices, and rapid community reporting.

Quick Reference: Safe Links and Resources

FAQs: GreedyBear, Malicious Extensions, and Wallet Safety

Q: How do I know if my Firefox wallet extension is legitimate?
A: Start from the wallet’s official site and follow their link to the store. Check that the publisher name matches exactly, permissions are expected, and the version aligns with the official changelog. Avoid extensions discovered via search/ads. When in doubt, ask the wallet’s official support channels.

Q: What is Extension Hollowing in simple terms?
A: It’s when attackers publish a harmless extension to pass review, then later push an update that adds malicious code. Users trust the extension because it’s older and well-reviewed, making the attack stealthy.

Q: Are Chrome and other browsers affected?
A: Yes, potentially. Researchers found a Chrome extension using the same command-and-control server logic. Always vet extensions, regardless of the browser. Review Chrome Web Store policies and be cautious.

Q: Do hardware wallets protect me from this?
A: They help a lot by keeping private keys offline. But if you expose your seed phrase or approve malicious transactions, funds can still be drained. Combine hardware wallets with strict extension hygiene.

Q: I think I installed a bad wallet extension. What should I do right now?
A: Disconnect from the internet, create a new wallet on a clean device (preferably with a hardware wallet), move funds, revoke approvals via revoke.cash, remove the malicious extension, scan your system, and report the incident to the marketplace and wallet vendor.

Q: Can I trust store reviews and ratings?
A: Treat them as secondary signals. Reviews can be fake or manipulated. Verify the publisher, check official links, and look at independent security reports.

Q: How much has GreedyBear stolen?
A: Current estimates exceed $1 million in stolen digital assets. The campaign’s scope suggests the number could rise as more victims are identified.

Q: What about the YouTube “trading bot” drainer scam?
A: It’s a separate but related trend. Scammers post AI-generated videos showing how to deploy a “profitable” smart contract, which secretly drains funds. Don’t deploy code from unknown sources. See SentinelOne’s research and avoid contracts from video descriptions.

Q: How can I report a suspicious Firefox extension?
A: Use Mozilla’s reporting guidance: Report issues with Firefox add-ons. Include the extension name, publisher, and any suspicious behavior.

Q: Are seed phrase “recovery” tools or wallet “repair” sites legit?
A: Almost always not. These are common lures for seed theft. Only use the official wallet’s recovery flow and never share your seed phrase with any website or extension.

Final Takeaway

GreedyBear is a wake-up call: even “official” extension stores are not foolproof. The attackers didn’t just slip one bad add-on through—they built a portfolio, earned trust, then flipped the switch at scale. Your best defense is a simple, consistent playbook: install from official links, verify the publisher, keep extensions to a minimum, use a hardware wallet, and move fast if something feels off.

If this helped, consider bookmarking it and sharing with your team or friends who manage crypto. For more practical security breakdowns and threat alerts, subscribe and stay a step ahead.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!

tax fraud
| | | |

Beware of Tax Season Phishing Scams: Insights from Microsoft’s Observations

ByInnoVirtuoso

Introduction to Tax Season Threats As tax season approaches in the United States, the threat of phishing scams escalates significantly. During this period, threat actors employ various social engineering tactics, primarily using tax-related themes in their schemes to deceive unsuspecting individuals. These cybercriminals craft messages that are often designed to resemble legitimate communications from tax…

How Ransomware Forced Cyber Insurers to Reinvent Security Assessments
|

How Ransomware Forced Cyber Insurers to Reinvent Security Assessments

ByInnoVirtuoso

Imagine you’re at your desk, sipping coffee, when you get the email every IT leader dreads: “Your files have been encrypted. Pay up, or say goodbye to your data.” Ransomware, once a rare digital boogeyman, is now a persistent reality crashing into organizations of every size and sector. But there’s a subplot to this cybercrime…

How Law Enforcement Uses Dark Web Monitoring to Hunt and Disrupt Ransomware Groups
|

How Law Enforcement Uses Dark Web Monitoring to Hunt and Disrupt Ransomware Groups

ByInnoVirtuoso

Ransomware attacks are no longer the stuff of Hollywood thrillers—they’ve become a real, daily threat to businesses, hospitals, schools, and even city governments worldwide. But while ransomware gangs operate in the shadows of the internet, law enforcement agencies have learned to fight fire with fire. The secret weapon? Dark web monitoring. If you’ve ever wondered…

New Flaw Exposes Visual Studio Code and Popular IDEs to Malicious Verified Extensions: What Every Developer Must Know
|

New Flaw Exposes Visual Studio Code and Popular IDEs to Malicious Verified Extensions: What Every Developer Must Know

ByInnoVirtuoso

If you believe that the “verified” checkmark on your favorite IDE extensions means you’re immune from security surprises, it’s time for a reality check. Recent research from OX Security has exposed a worrying flaw in some of the world’s most popular integrated development environments (IDEs), including Visual Studio Code, Visual Studio, IntelliJ IDEA, and Cursor….

uk gov retail cyber attacks

UK Government’s Warning: Retail Cyber-Attacks Serve as a Wake-Up Call

ByInnoVirtuoso

Understanding the Recent Wave of Cyber-Attacks In recent months, UK retailers have experienced an alarming rise in cyber-attacks, which have intensified concerns regarding the security of sensitive consumer data. Notable incidents, such as those affecting Marks & Spencer and several other leading brands, underscore the vulnerabilities present within the retail sector. These attacks often employ…

How to Beef Up AI Security: Why Zero Trust Principles Are Non-Negotiable for Modern Enterprises
|

How to Beef Up AI Security: Why Zero Trust Principles Are Non-Negotiable for Modern Enterprises

ByInnoVirtuoso

Ever feel uneasy about your AI systems? Maybe you’re not sure if that clever chatbot you just launched could be leaking sensitive company data—or worse, letting a bad actor run loose inside your digital walls. Here’s something you might not want to hear: your gut feeling is right. Guardrails and content filters alone won’t cut…