150 Malicious Firefox Extensions Stole Over $1 Million from Users

Red Dog Security

08 Aug 2025 — 2 min read

Security analysts at Koi Security have uncovered a large-scale malicious campaign—dubbed "GreedyBear"—operating through the Mozilla Add-ons Store. The operation involved 150 malicious Firefox extensions that collectively stole more than $1 million in cryptocurrency from unsuspecting users.

How the Scam Worked

The extensions disguised themselves as legitimate crypto wallet plugins, including MetaMask, TronLink, Exodus, and Rabby Wallet.

Initially, they passed Mozilla’s review process by submitting clean, functional versions.
Later, updates introduced malicious code.
Attackers then manipulated reviews, creating a wave of fake positive feedback.
Original branding was replaced with new names and logos, making detection harder.

Once installed, the malicious extensions injected stealer malware capable of:

Hijacking wallet credentials
Logging keystrokes (capturing form inputs and pop-up data)
Exfiltrating stolen data to attacker-controlled servers
Collecting IP addresses, likely for tracking and targeting

Beyond Firefox: A Wider Operation

Although Mozilla has now removed the malicious extensions, Koi Security warns that GreedyBear’s footprint extends far beyond Firefox. The campaign is linked to:

Dozens of Russian-language pirated software sites distributing more than 500 malware-laced executables
Fake websites impersonating Trezor, Jupiter Wallet, and hardware wallet repair services
A single command-and-control server (IP: 185.208.156[.]66) coordinating the entire operation

AI-Powered Malware & Chrome Threat

Attackers reportedly used AI tools to scale their operations, diversify payloads, and evade detection.

Koi Security also identified a Chrome extension—“Filecoin Wallet”—using the same malicious logic. This suggests that GreedyBear may be expanding to the Chrome Web Store.

Mozilla’s New Defense System

In June 2025, Mozilla rolled out an early detection system aimed at combating crypto-fraud-related add-ons. The system:

Creates risk profiles for wallet extensions
Flags high-risk submissions for manual review before they can reach users

How to Protect Yourself

Avoid unofficial wallet extensions—download only from verified developers and official websites
Scrutinize reviews—fake ones often appear in bulk shortly after an extension’s launch
Monitor wallet activity regularly for suspicious transactions
Use browser security tools capable of detecting malicious extensions

Key Takeaway:
Even trusted marketplaces can harbor dangerous malware. Before installing any extension—especially those handling sensitive financial data—verify the source, check its history, and watch for red flags.

Media: Anti-Spam Measures Lead to Blocking of Business Calls

New anti-spam regulations that took effect on September 1 are causing widespread disruption to business communications. According to media reports, telecom operators—acting under legal requirements to limit spam calls—have begun blocking all calls from commercial organizations, leaving banks, developers, and market research firms scrambling to move customer interactions

Pudu Robotics’ Robots Vulnerable to Exploitation

An independent cybersecurity researcher known as BobDaHacker has discovered security flaws in the products of Pudu Robotics, a leading global supplier of commercial service robots. The vulnerabilities made it possible for attackers to redirect robots to arbitrary locations and force them to execute unauthorized commands. The Company and Its Products

Google Patches 120 Vulnerabilities in Android, Including Two 0-days

Google developers have released security updates for Android that fix 120 vulnerabilities in the operating system. According to the company, two of these issues have already been used by hackers in targeted attacks. The 0-days patched this month have been assigned the identifiers CVE-2025-38352 (7.4 out of 10 on

Hackers Abuse the Velociraptor Forensics Tool

Sophos researchers have uncovered a cyberattack in which unknown threat actors abused the open-source endpoint monitoring and forensics tool Velociraptor. “In this incident, the attackers used the tool to download and run Visual Studio Code, likely with the intention of creating a tunnel to a command-and-control server under their control,