The cryptocurrency community faces a growing threat from sophisticated browser extension attacks, as a widespread campaign dubbed “GreedyBear” has stolen more than $1 million in digital assets through over 150 malicious Firefox extensions. The campaign, first reported in early August 2025, exploits a fundamental trust mechanism: users’ reliance on official browser marketplaces as safe sources for software.
The Exploit Mechanics
The attackers behind GreedyBear employ a technique known as “Extension Hollowing” to circumvent Mozilla’s security review process. The operation begins with the submission of an innocuous, empty extension to the Firefox Add-on Store. Once approved and listed, the attackers cultivate a veneer of credibility by generating fake positive reviews. After building sufficient trust, they remotely update the extension to inject malicious code. This approach effectively weaponizes the marketplace’s own trust infrastructure against its users.
The malicious extensions were designed to impersonate popular cryptocurrency wallets such as MetaMask and Coinbase Wallet. When an unsuspecting user installed one of these fraudulent extensions and attempted to log into their actual wallet, the malicious code would capture their credentials and seed phrases in real time. This sensitive data was then exfiltrated to attacker-controlled servers, giving criminals full access to victims’ cryptocurrency holdings.
Security researchers believe the GreedyBear campaign represents an evolution of the earlier “Foxy Wallet” operation, suggesting a highly organized criminal enterprise that has been refining its techniques over multiple iterations. The scale of the operation, with more than 150 extensions deployed across the marketplace, indicates significant resources and coordination.
Affected Systems
The primary targets of this campaign are Firefox browser users who actively manage cryptocurrency holdings through browser-based wallet extensions. Given Bitcoin’s price of approximately $118,731 and Ethereum trading around $4,227 in mid-August 2025, even a single compromised wallet can represent substantial financial losses. The campaign specifically targeted users of MetaMask and Coinbase Wallet, two of the most widely used browser-based cryptocurrency wallets in the ecosystem.
Beyond individual users, the attack has implications for decentralized application developers who rely on browser extensions as the primary interface between users and their platforms. The vulnerability exposed by GreedyBear challenges the assumption that official marketplaces provide adequate security screening for financial applications.
The Mitigation Strategy
For users who may have installed suspicious wallet extensions, immediate action is required. Remove any recently installed wallet extensions from Firefox and verify that you downloaded the authentic version directly from the wallet provider’s official website. Change all seed phrases and migrate funds to new wallet addresses if there is any doubt about the integrity of your current setup.
Mozilla has since purged the malicious extensions from its marketplace and is implementing enhanced review processes for extensions that request sensitive permissions. However, the incident highlights the need for a fundamental shift in how users interact with browser-based crypto tools.
Lessons Learned
The GreedyBear campaign demonstrates that attackers are increasingly targeting the human layer of the crypto security stack rather than technical vulnerabilities in blockchain protocols. The reliance on browser extensions as the primary intermediary between users and decentralized applications creates a significant attack surface that bad actors are eager to exploit.
Several key principles emerge from this incident. First, official marketplaces are not infallible security guarantees. Second, the use of hardware wallets for storing significant cryptocurrency holdings remains the gold standard for protection against credential theft. Third, the industry needs to develop more secure standards for connecting decentralized applications to user wallets, reducing dependence on browser extensions as the primary gateway.
User Action Required
If you use Firefox and have installed any cryptocurrency wallet extension in recent weeks, take the following steps immediately: verify the extension’s publisher through the official wallet website, check for any unusual login activity, and consider migrating to a hardware wallet for long-term storage. With Bitcoin hovering near $118,700 and Ethereum above $4,200, the stakes are too high to rely solely on browser-based security. Stay vigilant, verify sources independently, and never enter seed phrases into browser extensions without confirming their authenticity through multiple channels.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making decisions about cryptocurrency security.
The fundamental value proposition of crypto keeps getting stronger
The best projects are the ones quietly shipping during bear markets
Yuki Tanaka the best projects during bear markets include security tools. GreedyBear exposed a fundamental flaw in extension trust models
This is exactly the kind of development the space needs
The gap between crypto and TradFi is narrowing fast
Interesting perspective — I hadn’t considered that angle before
fake 5-star reviews on malicious metamask clones is such a basic social engineering trick. 150 extensions before anyone noticed is embarrassing for mozilla
150 malicious extensions and the attack vector was updating benign extensions after approval. the review process needs continuous monitoring not just initial screening
ext_hunter_ submitting empty extensions then injecting malicious code post-approval breaks the entire addon trust model. mozilla needs continuous scanning not just initial review