GreedyBear scam group steals $1M+ in crypto via 150+ fake Firefox wallet extensions, malware, and scam sites. Stay alert, stay safe.
A cybercrime group known as GreedyBear has stolen over $1 million worth of cryptocurrency so far.
According to insights from Koi Security, this group has used a dangerous mix of fake wallet extensions, malware and scam websites to reach “industrial-scale crypto theft.”
How GreedyBear Uses Fake Wallet Extensions to Steal Crypto
The most disturbing part of GreedyBear’s campaign is how the ring has used over 150 malicious Firefox extensions posing as trusted crypto wallets. These include fake versions of MetaMask, TronLink, Exodus and Rabby Wallet.
The group uses a technique called “Extension Hollowing” to carry this out.
First, they publish a seemingly harmless browser extension to bypass Mozilla’s security checks. Once the extension gains approval and user trust, the developers then delete parts of it and update the extension with wallet drainers. This allows them to steal wallet credentials directly from the browser.
These fake plugins don’t just steal credentials. They also collect IP addresses and help attackers track users more precisely.
Malware and Pirated Software
The second layer of GreedyBear’s attacks involves crypto-targeting malware, especially when it comes to credential stealers and ransomware.
Koi Security identified nearly 500 malware samples linked to this group. These include LummaStealer, which steals wallet credentials and Luca Stealer, a ransomware that demands crypto payments.
Most of this malware is distributed via Russian websites offering cracked or pirated software. When users download these files, the malware silently installs on their systems and gives attackers access to wallet data.
Fake Crypto Services
GreedyBear’s third tactic is setting up fake websites that look like crypto tools or wallet services. These aren’t your typical phishing sites asking for a login. Instead, they mimic real product landing pages and advertise wallets, hardware tools or “wallet repair” services.
These websites trick users into entering sensitive wallet information. All data entered is sent directly to the attackers, which results in stolen funds.
What’s more, all these scams: extensions, malware and websites have been traced back to a single IP address. This shows that one organised group is controlling the entire campaign and is managing everything from malware distribution to data collection.
Signs of AI Involvement Make Things Worse
GreedyBear’s attack methods are not only widespread, they’re fast and can adapt quickly. Koi Security discovered evidence of AI-generated code being used he malware and browser extensions.
This allows the group to quickly generate new variants of malware, scale attacks to reach more users faster and shift tactics if one method is blocked.
Experts are now warning that this may be the new normal in crypto-related cybercrime. As attackers rely more on AI, traditional defences may not be enough.
What This Means for Crypto Users
These attacks are especially dangerous because they take advantage of trust. People often assume browser extensions are safe if they come from official stores like Mozilla’s Firefox Marketplace. However, as this campaign shows, trust can be weaponised.
To protect yourself, avoid installing wallet extensions unless necessary. Also, verify extension publishers and reviews carefully before downloading.
Never download pirated software, especially from shady sites and always double-check URLs of any crypto services before entering sensitive data.
