## The Rise of the GreedyBear Campaign: A Threat to Cryptocurrency Users
A new campaign, known as **GreedyBear**, has emerged, exploiting over 150 malicious extensions in the Firefox marketplace. These deceptive tools are designed to imitate well-known cryptocurrency wallets, leading to the theft of more than $1 million in digital assets, according to a report by Koi Security.
### Understanding the Malicious Extensions
The rogue extensions camouflage themselves as popular wallets like MetaMask, TronLink, Exodus, and Rabby Wallet. Tuval Admoni, a researcher at Koi Security, revealed that the threat actor employs a method called **Extension Hollowing**. This technique allows them to circumvent Mozilla’s safeguards by leveraging user trust in legitimate-seeming applications.
Admoni explained that instead of sneaking malicious extensions through reviews, attackers create a portfolio of harmless extensions. Later, they weaponize these extensions, waiting until scrutiny diminishes.
### Tactics of the GreedyBear Actors
The attackers initiate their strategy by setting up a publisher account to upload benign extensions that lack functional capabilities, thereby evading initial inspection. They further enhance their credibility by posting fake positive reviews, creating an illusion of trustworthiness. Once the extensions are live, they modify them to include malicious features.
These harmful extensions capture user wallet credentials, sending them to servers controlled by the attackers. The malevolent actors also collect victims’ IP addresses, likely for future tracking.
### History of Extortion: Foxy Wallet
This campaign builds upon a previous operation known as **Foxy Wallet**, where the same threat actors deployed at least 40 malicious extensions targeting Firefox users. The increasing number of extensions indicates a significant escalation in their activities.
In addition to draining cryptocurrency wallets, their operations extend to distributing malicious executables via various Russian sites, which feature cracked and pirated software. This leads to the deployment of information stealers and even ransomware, amplifying their impact.
### Scam Sites and Broader Reach
GreedyBear has set up fake websites that mimic cryptocurrency products, such as wallet repair tools, further enticing users to unwittingly share their credentials or payment information, contributing to financial fraud. Koi Security established a connection between multiple attack vectors and a single threat actor, pointing to an IP address: **185.208.156[.]66**, serving as the command-and-control (C2) server for data collection and management.
### Expansion to Other Platforms
Recent analysis suggests that these extension-related attacks are not limited to Firefox but may be expanding to other browser marketplaces. A Google Chrome extension named **Filecoin Wallet**, which utilizes the same C2 server, has been discovered employing similar tactics to steal user credentials.
### The Role of Artificial Intelligence
Compounding the situation, some artifacts from these malicious operations appear to have been created with the aid of artificial intelligence (AI) tools. This showcases a troubling trend where threat actors leverage AI to enhance their attacks, enabling more efficient and widespread operations.
Admoni noted that the current scale of the GreedyBear campaign reflects an evolution in tactics, resulting in a multi-platform approach to credential and asset theft supported by an extensive malware distribution network.
### Emerging Ethereum Scams
In parallel developments, SentinelOne has identified an ongoing cryptocurrency scam involving a malicious smart contract disguised as a trading bot aimed at draining user wallets. This Ethereum drainer scheme claims over $900,000 in illicit profits since its inception in early 2024.
Scammers promote this scheme through YouTube videos, which present the fake trading bot and guide users on deploying the smart contract using the Remix Solidity Compiler platform, a web-based IDE for Web3 projects. The accompanying video descriptions include links to external sites hosting the malicious code.
### Fake Credibility through Aged Accounts
Many of the videos involved appear to be AI-generated, published through aged YouTube accounts that promote various cryptocurrency news. This tactic attempts to build trust and legitimacy, while comments sections are curated to remove any negative feedback.
One of the identified YouTube accounts was established in October 2022, suggesting that the fraudsters either nurtured the account over time or purchased it from services that sell aged channels.
### Mechanics of the Smart Contract Scam
The scam operational phase kicks in when a victim deploys the smart contract and is prompted to send Ethereum (ETH) to this contract. The funds are then funneled to a wallet controlled by the attackers, completing the theft.
Delamotte emphasized that the combination of AI-generated content with aged YouTube accounts available for purchase allows even moderately-resourced actors to make use of established accounts for fraudulent activities.
