Malicious Firefox Extensions Empty Crypto Wallets
Cryptocurrency wallet owners, beware: Attackers are using malicious browser extensions to steal your credentials. A recent campaign targeting Firefox is estimated to have involved 150 extensions that allowed attackers to steal $1 million from victims’ accounts.
The scheme, discovered by Koi Security and known as “GreedyBear,” was distributed via the Firefox add-on store by posing as well-known cryptocurrency wallet extensions. According to a report by Bleeping Computer , the identified malware was removed by Mozilla, but attackers could quickly and easily launch similar campaigns in the future to target more users. Moreover, researchers have found a possible spread of GreedyBear to the Chrome Web Store via the Filecoin Wallet extension.
Cryptocurrency-stealing malware spreads via Firefox
As Bleeping Computer describes, cryptocurrency-stealing Firefox extensions started out relatively harmless before evolving into dangerous malware capable of stealing funds.
Initially, the attackers uploaded innocuous crypto wallet extensions for review with branding consistent with well-known platforms such as MetaMask, TronLink, and Rabby, and collected fake positive reviews to appear more trustworthy. Later, they removed and replaced the names and logos, and introduced malicious code that turned the extensions into keyloggers that intercepted data entered through form fields and sent it to the attackers’ servers. The hacked extensions also logged the victims’ external IP addresses.
How to Protect Your Crypto Wallet from Malware
Just because an extension is approved by Mozilla or Google and appears in the official Firefox and Chrome add-on stores doesn’t mean you can trust it blindly. Before adding a new extension to your browser, read user reviews (don’t rely solely on ratings) and check the developer’s version history and other projects for suspicious elements.
For crypto wallets, a safer option than searching through the add-on store is to go directly to the project’s website, which will redirect you to a legitimate extension.