Hackers Steal $1M via 150+ Malicious Firefox Crypto Extensions Using Extension Hollowing

Generated by AI AgentCoin World
Friday, Aug 8, 2025 3:51 am ET2min read
FIL
--
Aime RobotAime Summary

- Hackers GreedyBear stole $1M via 150+ malicious Firefox extensions using "Extension Hollowing" to bypass security and steal crypto credentials.

- Attackers inject malware post-approval, mimicking wallets like MetaMask to trick users into surrendering private keys to a centralized C2 server.

- Campaign expanded to Chrome extensions and Russian pirated software sites, leveraging AI tools to scale operations and evade detection.

- Highlights browser extension review gaps and growing risks of AI-enhanced cybercrime in cryptocurrency ecosystems.

Hackers operating under the alias GreedyBear have orchestrated a major cyberattack targeting cryptocurrency users through a sophisticated campaign involving over 150 malicious Firefox browser extensions [1]. The operation, which has already stolen more than $1 million in crypto assets, leverages a new and stealthy technique called “Extension Hollowing” to bypass Firefox’s security mechanisms. The extensions mimic legitimate cryptocurrency wallet services—such as MetaMask, TronLink, Exodus, and Rabby Wallet—convincing users to input sensitive information, including wallet credentials, which are then transmitted to an attacker-controlled server [1].

The attack follows a two-phase strategy. Initially, the hackers publish seemingly harmless extensions to avoid detection during the initial review process. Once the extensions are approved and installed by users, the attackers inject malicious code into them, allowing for the silent exfiltration of user data [1]. This tactic, known as Extension Hollowing, enables the attackers to maintain a low profile and avoid triggering security alarms that would detect a malicious payload during the initial submission.

In addition to the Firefox-based attack, the same threat actors are using Russian websites that distribute pirated software to deliver additional malware, including information stealers and ransomware [1]. These websites often host fake wallet repair tools and similar services designed to lure users into surrendering their private keys or payment details. All stolen data is funneled to a centralized command-and-control (C2) server with the IP address 185.208.156.66 [1].

The campaign appears to be an escalation from a previous operation dubbed Foxy Wallet, which involved around 40 malicious Firefox extensions. The jump to over 150 extensions indicates a more ambitious and organized cybercrime effort, with the potential for broader impact [1]. Notably, the attackers are suspected of using AI-powered tools to generate and manage these extensions, suggesting a growing trend in the use of artificial intelligence to enhance the efficiency and complexity of cyberattacks.

The implications of the GreedyBear campaign extend beyond Firefox. A similar malicious Chrome extension, named

Filecoin
Wallet, has already been identified using the same C2 server and attack methodologies [1]. This suggests that the threat actors are expanding their operations to other major browser platforms, increasing the potential risk for a wider user base.

For cryptocurrency users, the attack highlights the growing threat posed by browser extensions, especially those downloaded from trusted app stores. Many users assume that extensions available through official marketplaces are inherently safe. However, the GreedyBear operation demonstrates that even legitimate-looking extensions can be weaponized after approval [1]. Users are advised to exercise caution when installing browser extensions, particularly those related to cryptocurrency management, and to verify the developer’s credibility and maintain up-to-date security software [1].

The incident also raises questions about the effectiveness of browser extension review processes. While Firefox and other platforms have security measures in place, the use of Extension Hollowing indicates a gap in post-approval monitoring. Cybersecurity experts stress the need for continuous scrutiny of existing extensions, not just during the initial submission phase [1].

As cybercriminals continue to refine their methods and adopt advanced technologies like AI, the risk of large-scale data breaches and financial theft remains high. This case underscores the importance of user education and platform accountability in the rapidly evolving landscape of digital finance [1].

Source:

[1] GreedyBear Steals $1M in Crypto Using 150+ Malicious Firefox Wallet Extensions (https://thehackernews.com/2025/08/greedybear-steals-1m-in-crypto-using.html)