Crypto wallet owners beware: threat actors are using malicious browser extensions to steal your credentials. A recent campaign targeting Firefox is estimated to have included 150 extensions that allowed attackers to drain one million dollars from victims’ accounts.
The scheme, discovered by Koi Security and known as “GreedyBear,” spread through the Firefox add-ons store by impersonating well-known cryptocurrency wallet extensions. According to reporting from Bleeping Computer , the identified malware has been removed by Mozilla, but attackers may be able to quickly and easily mount similar campaigns targeting more users in the future. In fact, researchers have found a possible expansion of GreedyBear to the Chrome web store via an extension called Filecoin Wallet.
Crypto-draining malware spread through Firefox
As Bleeping Computer describes, the crypto-stealing extensions in Firefox started out relatively harmless before morphing into dangerous malware capable of draining funds.
Threat actors initially uploaded benign crypto wallet extensions for approval with branding that matched known platforms like MetaMask, TronLink, and Rabby and accumulated fake positive reviews to make them appear more trustworthy. Only later did they remove and replace the names and logos and inject malicious code, which turned said extensions into keyloggers that captured form field inputs and sent them to attackers’ servers. The compromised extensions also logged victims’ external IP addresses.
How to protect your crypto wallet from malware
Just because an extension has been approved by Mozilla or Google and made it to the official add-on store in Firefox and Chrome doesn’t mean it should be blindly trusted. Before adding a new extension to your browser, read user reviews (don’t just rely on star ratings) and check both the version history and the developer’s other projects for anything suspect.
For crypto wallets, a safer option than searching the add-on store is to go directly to the project’s website, which will link you to the legitimate extension.
