Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   Wave of 150 crypto-draining extensions hits Firefox add-on store (http://txgate.io:443/showthread.php?t=51302451)

Artifact 08-07-2025 06:57 PM
<div id="post_message_807958">

A malicious campaign dubbed 'GreedyBear' has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims.<br/>
<br/>
The campaign, discovered and documented by Koi Security, impersonates cryptocurrency wallet extensions from well-known platforms such as MetaMask, TronLink, and Rabby.<br/>
<br/>
These extensions are uploaded in a benign form initially, to be accepted by Firefox, and accumulate fake positive reviews.<br/>
<br/>
At a later phase, the publishers strip out the original branding and replace it with new names and logos while also injecting malicious code to steal users' wallet credentials and IP addresses.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/August/add-on.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Add-on before it turns malicious. Source: Koi Security

</td>
</tr>
</table>
</div>The malicious code acts as a keylogger, capturing input from form fields or within displayed popups, which are then sent to the attacker's server.<br/>
<br/>
"The weaponized extensions captures wallet credentials directly from user input fields within the extension’s own popup interface, and exfiltrate them to a remote server controlled by the group," <a href="https://medium.com/@tuval_49118/3e8628831a05" target="_blank">explains Koi Security's Tuval Admoni</a>.<br/>
<br/>
"During initialization, they also transmit the victim’s external IP address, likely for tracking or targeting purposes."<br/>
<br/>
The crypto-draining operation is complemented by dozens of Russian-speaking pirated software websites that facilitate the distribution of 500 distinct malware executables, and also a network of websites impersonating Trezor, Jupiter Wallet, and fake wallet repair services.<br/>
<br/>
In the cases of malware, the payloads include generic trojans, info-stealers (LummaStealer), or even ransomware.<br/>
<br/>
All of these sites are linked to the same IP address, 185.208.156.66, which serves as a command-and-control (C2) hub for the GreedyBear operation<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/August/jupiter.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Fake Jupiter Wallet site. Source: Koi Security

</td>
</tr>
</table>
</div>Koi Security reported its findings to Mozilla, and the offending extensions have been removed from Firefox's add-ons store.<br/>
<br/>
However, its wide scale and apparent ease in execution are a demonstration of how AI can help cybercriminals create large-scale schemes and quickly recover from total takedowns.<br/>
<br/>
"Our analysis of the campaign's code shows clear signs of AI-generated artifacts," explains the report.<br/>
<br/>
"This makes it faster and easier than ever for attackers to scale operations, diversify payloads, and evade detection."<br/>
<br/>
The previous large-scale attack on the Firefox store <a href="https://www.bleepingcomputer.com/news/security/dozens-of-fake-wallet-add-ons-flood-firefox-store-to-drain-crypto/" target="_blank">occurred last month</a>, involving over 40 fake extensions pretending to be wallets from Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero.<br/>
<br/>
It's notable that these fraudulent extensions still find their way into the Firefox store despite Mozilla having <a href="https://www.bleepingcomputer.com/news/security/mozilla-launches-new-system-to-detect-firefox-crypto-drainer-add-ons/" target="_blank">deployed a system</a> in June 2025 to detect crypto-drainer add-ons.<br/>
<br/>
Koi Security also reports seeing signs that the operators of GreedyBear are exploring expansion to the Chrome Web Store, as they already spotted a malicious Chrome extension named "Filecoin Wallet" that uses the same data-theft logic and communicates with the same IP address.<br/>
<br/>
To minimize the risk from these threats, always read multiple user reviews and check extension and publisher details before installing add-ons on your browser.<br/>
<br/>
You can find the official wallet extensions on the websites of the projects themselves, either hosted directly or linking to the legitimate add-on on online stores.<br/>
<br/>
BleepingComputer contacted Mozilla and Google about this campaign and their efforts to protect users, and will update this article with any responses.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/wave-of-150-crypto-draining-extensions-hits-firefox-add-on-store" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 07:40 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.