GreedyBear Crypto Heist: $1M Stolen Through Malicious Firefox Extensions and AI-Powered Tactics

Reviewed byNidhi Govil

4 Sources

A sophisticated cybercrime campaign dubbed 'GreedyBear' has stolen over $1 million in cryptocurrency using malicious Firefox extensions and AI-generated tools, highlighting the evolving threats in the crypto space.

GreedyBear Campaign Exploits Firefox Add-ons

A sophisticated cybercrime operation dubbed 'GreedyBear' has successfully stolen over $1 million in cryptocurrency by exploiting vulnerabilities in the Firefox browser's add-on ecosystem. The campaign, uncovered by Koi Security, involves more than 150 malicious extensions that impersonate popular cryptocurrency wallets such as MetaMask, TronLink, and Rabby 1.

Source: Bleeping Computer

Source: Bleeping Computer

The attackers employed a novel technique called "Extension Hollowing" to bypass Mozilla's security measures. This method involves initially uploading benign extensions to build credibility, then later replacing them with malicious versions that capture wallet credentials and users' IP addresses 2.

AI-Powered Tactics and Expansion

What sets GreedyBear apart is its use of artificial intelligence to scale operations and evade detection. The campaign's code shows clear signs of AI-generated artifacts, enabling attackers to diversify payloads and recover quickly from takedowns 1.

The operation has expanded beyond Firefox, with evidence of similar tactics being employed on the Chrome Web Store. A malicious Chrome extension named "Filecoin Wallet" was found using the same data-theft logic and communicating with the GreedyBear command-and-control server 2.

Broader Malware Distribution Network

GreedyBear's activities extend beyond browser extensions. The group has been linked to a network of Russian-language websites distributing pirated software, which serve as vectors for deploying various malware, including information stealers and ransomware 3.

Additionally, the attackers have set up scam websites impersonating legitimate cryptocurrency services like Trezor and Jupiter Wallet, as well as fake wallet repair tools. All these malicious sites are connected to a single IP address (185.208.156.66), which acts as the command-and-control hub for the entire operation 1.

Source: The Hacker News

Source: The Hacker News

Escalating Crypto Theft Trends

The GreedyBear campaign is part of a larger trend of increasing cryptocurrency thefts. According to Chainalysis, over $2.17 billion has been stolen from crypto services in the first half of 2025, already surpassing the total for all of 2024 4.

This surge in crypto theft is attributed to more sophisticated targeting techniques, potentially facilitated by the growth of easily deployable AI tools. Personal wallets are becoming increasingly targeted, representing 23.35% of all theft activity year-to-date 4.

Mitigation and User Precautions

While Mozilla has removed the identified malicious extensions from its add-on store, users who have already installed them remain at risk. Experts advise Firefox users to be cautious when installing extensions, especially those related to cryptocurrency wallets 3.

Source: TechRadar

Source: TechRadar

To minimize risks, users should thoroughly read reviews, check extension and publisher details before installation, and preferably download wallet extensions directly from official project websites or verified links 2.

Explore today's top stories

GPT-5 Launch Sparks User Backlash: OpenAI Faces Criticism Over Model Changes

OpenAI's release of GPT-5 has led to widespread disappointment among ChatGPT users, with many complaining about the loss of older models and perceived downgrades in functionality.

Ars Technica logoPC Magazine logoGizmodo logo

16 Sources

Technology

20 hrs ago

GPT-5 Launch Sparks User Backlash: OpenAI Faces Criticism

OpenAI Retires Legacy ChatGPT Models Following GPT-5 Launch, Sparking User Concerns

OpenAI has announced the retirement of older ChatGPT models, including GPT-4o and o3, as it rolls out its new GPT-5 model. This move has caused concern among users who relied on specific models for their workflows.

VentureBeat logoTechRadar logo

2 Sources

Technology

21 hrs ago

OpenAI Retires Legacy ChatGPT Models Following GPT-5

OpenAI's GPT-5 Launch Sparks Potential AI Price War with Competitive Pricing

OpenAI has launched GPT-5 with pricing that matches or undercuts competitors, potentially igniting a price war in the AI industry. The move comes despite massive infrastructure investments by major tech companies.

TechCrunch logoEconomic Times logo

2 Sources

Technology

5 hrs ago

OpenAI's GPT-5 Launch Sparks Potential AI Price War with

AI Talent Wars Intensify: Meta's Billion-Dollar Offers and OpenAI's Response

The AI industry is experiencing an unprecedented talent war, with companies like Meta offering astronomical compensation packages to attract top researchers. OpenAI's CEO Sam Altman criticizes the focus on "shiny names" and argues for a broader talent pool.

NDTV Gadgets 360 logoEntrepreneur logoEconomic Times logo

5 Sources

Business and Economy

21 hrs ago

AI Talent Wars Intensify: Meta's Billion-Dollar Offers and

OpenAI's GPT-5 Launch Marred by Embarrassing Errors, Raising Questions About AI Progress

OpenAI's highly anticipated GPT-5 launch has been overshadowed by a series of basic errors in spelling, geography, and data representation, challenging claims of its "PhD level" intelligence and sparking debates about the true progress of AI technology.

The Guardian logoFuturism logo

2 Sources

Technology

21 hrs ago

OpenAI's GPT-5 Launch Marred by Embarrassing Errors,
TheOutpost.ai

Your Daily Dose of Curated AI News

Don’t drown in AI news. We cut through the noise - filtering, ranking and summarizing the most important AI news, breakthroughs and research daily. Spend less time searching for the latest in AI and get straight to action.

© 2025 Triveous Technologies Private Limited
Instagram logo
LinkedIn logo