Fake Browser Extensions Used to Steal $1M Crypto

GreedyBear – The New “Kingpin” of Crypto Cybercrime

According to a report from Koi Security, the Russian hacker group GreedyBear has expanded its global-scale operations, targeting English-speaking and international users. In just five weeks, they have stolen over $1 million through a sophisticated campaign involving 150 weaponized Firefox extensions.

Not stopping at browsers, the group has also deployed nearly 500 malicious Windows files and dozens of phishing websites disguised as cryptocurrency wallet services, hardware devices, and “wallet repair” platforms to steal victims’ personal information and wallet keys.

Sophisticated Tactics – “Extension Hollowing”

The Firefox campaign is GreedyBear’s “golden goose”:

Step 1: Upload a “clean” version of popular wallet extensions like MetaMask, Exodus, Rabby Wallet, TronLink to the Firefox add-on marketplace.

Step 2: After gaining user trust and installs, they update the extensions with malicious code to steal data.

Step 3: Post fake 5-star reviews to create a false sense of trust.

Once a user enters their login credentials, their assets are drained straight into the hacker’s wallet.

Scaling Up – From 40 to 150 Malicious Extensions

Previously, between April and July, the campaign involved around 40 malicious extensions. Recently, that number has almost quadrupled, showing GreedyBear is accelerating and becoming more sophisticated than ever.

Additionally, the malicious Windows files they spread via pirated software websites contain stealers, ransomware, and trojans, proving that GreedyBear operates an industrial-scale malware distribution network.

Critical Weak Point: One IP Controls It All

Koi Security found that most of GreedyBear’s attack domains point to the same IP address: 185.208.156.66. This indicates highly centralized control, unlike government-backed campaigns, which usually distribute infrastructure to avoid a single point of failure.

How to Avoid Falling Victim to GreedyBear

Koi Security CTO Idan Dardikman advises: Only install extensions from verified developers with a long history. Avoid visiting or downloading software from pirated websites. Use official wallet software – for large holdings, prefer hardware wallets, and only buy directly from the manufacturer to avoid counterfeits. Never enter wallet keys or personal details on unfamiliar websites, no matter how “legitimate” they appear.

Conclusion

With its current rate of expansion, GreedyBear will continue to be a serious threat to the global crypto community. Users should remain vigilant, apply strict security measures, and regularly update their cybersecurity knowledge to protect their digital assets.