Full Report
A malicious campaign dubbed 'GreedyBear' has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims. [...]
Analysis Summary
# Incident Report: Wave of Malicious Crypto-Draining Firefox Extensions
## Executive Summary
A security campaign was detected involving approximately 150 malicious browser extensions targeting the Firefox add-on store, designed specifically to drain cryptocurrency from users' wallets. The attack leveraged code exhibiting signs of AI generation, enabling rapid scaling and evasion tactics. Response actions involved notifying Mozilla, resulting in the removal of the offending extensions, though indicators suggest the attackers are preparing to target the Chrome Web Store as well.
## Incident Details
- **Discovery Date:** Undisclosed (Implied shortly before reporting/notification to Mozilla)
- **Incident Date:** Ongoing wave discovery period
- **Affected Organization:** Mozilla (Firefox Add-on review process/store integrity) and individual Firefox users.
- **Sector:** Software/Browser Ecosystem
- **Geography:** Global (Distributed via official add-on stores)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing prior to detection/removal.
- **Vector:** Submission of malicious extensions to the official Mozilla Firefox add-on store.
- **Details:** Approximately 150 extensions were published, masquerading as legitimate tools or wallets, containing crypto-draining capabilities.
### Lateral Movement
- *Not applicable in the traditional sense, as this was a client-side distribution model targeting end-users.* Attackers relied on users installing the malicious software.
### Data Exfiltration/Impact
- **Details:** Malicious extensions were designed to steal cryptocurrency keys or assets directly from user wallets linked to the browser.
### Detection & Response
- **How it was discovered:** Analysis by security researchers (Koi Security, inferred from the context).
- **Response actions taken:** Researchers notified Mozilla, leading to the removal of the malicious extensions from the store.
## Attack Methodology
- **Initial Access:** Publishing malicious, yet seemingly functional, extensions to the official Firefox add-on repository.
- **Persistence:** Maintaining active status on the store until automated or manual detection occurred.
- **Privilege Escalation:** N/A (Attacks were executed client-side post-installation).
- **Defense Evasion:** Use of AI-generated artifacts was noted in the code, potentially helping diversify payloads and evade detection systems.
- **Credential Access:** Direct theft of cryptographic material/wallet information via browser extension permissions.
- **Discovery:** N/A (Distribution focused on immediate compromise upon installation).
- **Lateral Movement:** N/A
- **Collection:** Collecting sensitive wallet or key data accessible via the extension's permissions.
- **Exfiltration:** Communication over the network to attacker-controlled command and control infrastructure (communicating with a specific IP address was noted).
- **Impact:** Theft of cryptocurrency.
## Impact Assessment
- **Financial:** Direct financial loss for users who installed the extensions (crypto funds stolen).
- **Data Breach:** Theft of cryptocurrency wallet credentials/keys.
- **Operational:** Disruption to user trust in the integrity of the Firefox add-on ecosystem.
- **Reputational:** Damage to Mozilla's reputation regarding the vetting process for its add-ons, despite previous mitigation efforts.
## Indicators of Compromise
- **Network indicators (Defanged):** Communication to a previously identified malicious IP address pattern associated with the campaign operators (GreedyBear).
- **File indicators:** The specific code artifacts and structures found within the malicious extensions.
- **Behavioral indicators:** Extensions performing unauthorized data exfiltration related to cryptocurrency wallets.
## Response Actions
- **Containment measures:** Notification to Mozilla resulted in the removal of the ~150 offending extensions from the Firefox add-ons store.
- **Eradication steps:** Users who installed the extensions must manually remove them and potentially sweep their systems for other compromises.
- **Recovery actions:** Potential need for users to restore funds from backups or recreate wallets if keys were compromised.
## Lessons Learned
- The proliferation of AI tools significantly lowers the barrier for attackers to rapidly create and deploy large-scale malicious campaigns targeting software distribution platforms.
- Existing detection systems (including Mozilla's system deployed in June 2025) are still susceptible to sophisticated, rapidly evolving drainer tactics.
- Attackers are likely migrating successful techniques from one platform (Firefox) to others (Chrome Web Store).
## Recommendations
- **For Browser Vendors (Mozilla/Google):** Continuously iterate and enhance automated detection systems, looking specifically for code signatures indicative of AI generation or common crypto-draining logic across all submissions.
- **For Users:** Never install extensions based solely on popularity or a quick search; verify the publisher details and check external sources/official project documentation for links to legitimate add-ons. Always check multiple user reviews.
- **Proactive Monitoring:** Increase scrutiny on extensions showing similarities to previously banned campaigns (e.g., the previous wave of 40 wallet-themed add-ons).