Subj : Firefox fans beware - these malicious add-ons are stealing millio
To   : All
From : TechnologyDaily
Date : Fri Aug 08 2025 16:30:07

Firefox fans beware - these malicious add-ons are stealing millions, so be on 
your guard

Date:
Fri, 08 Aug 2025 15:22:00 +0000

Description:
GreedyBear abused Mozilla's browser add-on store to steal a million dollars 
in crypto.

FULL STORY
======================================================================Experts 
flag 150 Firefox add-ons which served as infostealers and keyloggers Add-ons 
added to the store are benign, but when they gain a reputation, they are 
transformed into malware The crooks steal crypto and track their victims' IP 
addresses 

Cryptocurrency users running the Firefox browser should be careful - a major 
campaign has been detected aiming to steal their tokens right out of their 
wallets. 

Recently, security researchers from Koi Security identified 150 add-ons in 
the Mozilla store which served as infostealers and keyloggers. 

These add-ons started as benign tools, impersonating popular crypto wallets 
such as MetaMask, TronLink, or Rabby, but after accumulating enough downloads 
and positive reviews, the attackers replace them with new names and logos and 
inject malicious code that steals user wallet credentials and IP addresses. 
GreedyBear 

"The weaponized extensions captures wallet credentials directly from user 
input fields within the extensions own popup interface, and exfiltrate them 
to a remote server controlled by the group," Koi Security said in its 
writeup. 

"During initialization, they also transmit the victims external IP address, 
likely for tracking or targeting purposes." 

The malicious code was partially generated with the help of AI, the experts 
said, dubbing the campaign GreedyBear, and claiming it raked in more than a 
million dollars already. 

The bear in the name could be a reference to Russia, since the operation is 
apparently complemented by dozens of pirated software websites distributing 
500 malware variants, as well as fake Trezor, Jupiter Wallet, and other 
crypto websites. All of them are written in Russian. 

The malware distributed through the website is generic, the researchers 
added, with LummaStealer standing out as a more notable name. 

All of the sites are linked to the same IP address, which means that a single 
entity is running the entire operation. 

Koi Security reported its findings to Mozilla, which swiftly removed all 
malicious add-ons from its repository. However, users who downloaded them in 
the meantime will remain at risk until they delete the add-ons from their 
browsers and refresh all login credentials. 

 Via BleepingComputer You might also like Over two dozens of fake crypto 
wallet apps on Play Store are stealing users' 12-word seed phrase without 
warning Take a look at our guide to the best authenticator app We've rounded 
up the best password managers



======================================================================
Link to news story:
https://www.techradar.com/pro/security/firefox-fans-beware-these-malicious-add
-ons-are-stealing-millions-so-be-on-your-guard


--- Mystic BBS v1.12 A49 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.