GreedyBear Crypto Heist: $1M Stolen Through Malicious Firefox Extensions and AI-Powered Tactics

GreedyBear Steals $1M in Crypto Using 150+ Malicious Firefox Wallet Extensions

A newly discovered campaign dubbed GreedyBear has leveraged over 150 malicious extensions to the Firefox marketplace that are designed to impersonate popular cryptocurrency wallets and steal more than $1 million in digital assets. The published browser add-ons masquerade as MetaMask, TronLink, Exodus, and Rabby Wallet, among others, Koi Security researcher Tuval Admoni said. What makes the activity notable is the threat actor's use of a technique that the cybersecurity company called Extension Hollowing to bypass safeguards put in place by Mozilla and exploit user trust. It's worth noting that some aspects of the campaign were first documented by security researcher Lukasz Olejnik last week. "Rather than trying to sneak malicious extensions past initial reviews, they build legitimate-seeming extension portfolios first, then weaponize them later when nobody's watching," Admoni said in a report published Thursday. To achieve this, the attackers first create a publisher account in the marketplace, upload innocuous extensions with no actual functionality to sidestep initial reviews, post fake positive reviews to create an illusion of credibility, and modify their innards with malicious capabilities. The fake extensions are designed to capture wallet credentials entered by unsuspecting users and exfiltrate them to an attacker-controlled server. It also gathers victims' IP addresses for likely tracking purposes. The campaign is assessed to be an extension of a previous iteration called Foxy Wallet that involved the threat actors publishing no less than 40 malicious browser extensions for Mozilla Firefox with similar goals in mind. The latest spike in the number of extensions indicates the growing scale of the operation. The fake wallet cryptocurrency draining attacks are augmented by campaigns that distribute malicious executables through various Russian sites that peddle cracked and pirated software, leading to the deployment of information stealers and even ransomware. The GreedyBear actors have also found setting up scam sites that pose as cryptocurrency products and services, such as wallet repair tools, to possibly trick users into parting with their wallet credentials, or payment details, resulting in credential theft and financial fraud. Koi Security said it was able to link the three attack verticals to a single threat actor based on the fact that the domains used in these efforts all point to a lone IP address: 185.208.156[.]66, which acts as a command-and-control (C2) server for data collection and management. There is evidence to suggest that the extension-related attacks are branching out to target other browser marketplaces. This is based on the discovery of a Google Chrome extension named Filecoin Wallet that has used the same C2 server and the underlying logic to pilfer credentials. To make matters worse, an analysis of the artifacts has uncovered signs that they may have been created using artificial intelligence (AI)-powered tools. This underscores how threat actors are increasingly misusing AI systems to enable attacks at scale and at speed. "This variety indicates the group is not deploying a single toolset, but rather operating a broad malware distribution pipeline, capable of shifting tactics as needed," Admoni said. "The campaign has since evolved the difference now is scale and scope: this has evolved into a multi-platform credential and asset theft campaign, backed by hundreds of malware samples and scam infrastructure." Ethereum Drainers Pose as Trading Bots to Steal Crypto The disclosure comes as SentinelOne flagged a widespread and ongoing cryptocurrency scam that entails distributing a malicious smart contract disguised as a trading bot in order to drain user wallets. The fraudulent Ethereum drainer scheme, active since early 2024, is estimated to have already netted the threat actors more than $900,000 in stolen profits. "The scams are marketed through YouTube videos which explain the purported nature of the crypto trading bot and explain how to deploy a smart contract on the Remix Solidity Compiler platform, a web-based integrated development environment (IDE) for Web3 projects," researcher Alex Delamotte said. "The video descriptions share a link to an external site that hosts the weaponized smart contract code." The videos are said to be AI-generated and are published from aged accounts that post other sources' cryptocurrency news as playlists in an effort to build legitimacy. The videos also feature overwhelmingly positive comments, suggesting that the threat actors are actively curating the comment sections and removing any negative feedback. One of the YouTube accounts pushing the scam was created in October 2022. This either indicates that the fraudsters slowly and steadily boosted the account's credibility over time or may have purchased it from a service selling such aged YouTube channels off Telegram and dedicated sites like Accs-market and Aged Profiles. The attack moves to the next phase when the victim deploys the smart contract, after which the victims are instructed to send ETH to the new contract, which then causes the funds to be routed to an obfuscated threat actor-controlled wallet. "The combination of AI-generated content and aged YouTube accounts available for sale means that any modestly-resourced actor can obtain a YouTube account that the algorithm deems 'established' and weaponize the account to post customized content under a false pretext of legitimacy," Delamotte said.

Wave of 150 crypto-draining extensions hits Firefox add-on store

A malicious campaign dubbed 'GreedyBear' has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims. The campaign, discovered and documented by Koi Security, impersonates cryptocurrency wallet extensions from well-known platforms such as MetaMask, TronLink, and Rabby. These extensions are uploaded in a benign form initially, to be accepted by Firefox, and accumulate fake positive reviews. At a later phase, the publishers strip out the original branding and replace it with new names and logos while also injecting malicious code to steal users' wallet credentials and IP addresses. The malicious code acts as a keylogger, capturing input from form fields or within displayed popups, which are then sent to the attacker's server. "The weaponized extensions captures wallet credentials directly from user input fields within the extension's own popup interface, and exfiltrate them to a remote server controlled by the group," explains Koi Security's Tuval Admoni. "During initialization, they also transmit the victim's external IP address, likely for tracking or targeting purposes." The crypto-draining operation is complemented by dozens of Russian-speaking pirated software websites that facilitate the distribution of 500 distinct malware executables, and also a network of websites impersonating Trezor, Jupiter Wallet, and fake wallet repair services. In the cases of malware, the payloads include generic trojans, info-stealers (LummaStealer), or even ransomware. All of these sites are linked to the same IP address, 185.208.156.66, which serves as a command-and-control (C2) hub for the GreedyBear operation Koi Security reported its findings to Mozilla, and the offending extensions have been removed from Firefox's add-ons store. However, its wide scale and apparent ease in execution are a demonstration of how AI can help cybercriminals create large-scale schemes and quickly recover from total takedowns. "Our analysis of the campaign's code shows clear signs of AI-generated artifacts," explains the report. "This makes it faster and easier than ever for attackers to scale operations, diversify payloads, and evade detection." The previous large-scale attack on the Firefox store occurred last month, involving over 40 fake extensions pretending to be wallets from Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero. It's notable that these fraudulent extensions still find their way into the Firefox store despite Mozilla having deployed a system in June 2025 to detect crypto-drainer add-ons. Koi Security also reports seeing signs that the operators of GreedyBear are exploring expansion to the Chrome Web Store, as they already spotted a malicious Chrome extension named "Filecoin Wallet" that uses the same data-theft logic and communicates with the same IP address. To minimize the risk from these threats, always read multiple user reviews and check extension and publisher details before installing add-ons on your browser. You can find the official wallet extensions on the websites of the projects themselves, either hosted directly or linking to the legitimate add-on on online stores. BleepingComputer contacted Mozilla and Google about this campaign and their efforts to protect users, and will update this article with any responses.

Firefox fans beware - these malicious add-ons are stealing millions, so be on your guard

The crooks steal crypto and track their victims' IP addresses Cryptocurrency users running the Firefox browser should be careful - a major campaign has been detected aiming to steal their tokens right out of their wallets. Recently, security researchers from Koi Security identified 150 add-ons in the Mozilla store which served as infostealers and keyloggers. These add-ons started as benign tools, impersonating popular crypto wallets such as MetaMask, TronLink, or Rabby, but after accumulating enough downloads and positive reviews, the attackers replace them with new names and logos and inject malicious code that steals user wallet credentials and IP addresses. "The weaponized extensions captures wallet credentials directly from user input fields within the extension's own popup interface, and exfiltrate them to a remote server controlled by the group," Koi Security said in its writeup. "During initialization, they also transmit the victim's external IP address, likely for tracking or targeting purposes." The malicious code was partially generated with the help of AI, the experts said, dubbing the campaign "GreedyBear", and claiming it raked in more than a million dollars already. The "bear" in the name could be a reference to Russia, since the operation is apparently complemented by dozens of pirated software websites distributing 500 malware variants, as well as fake Trezor, Jupiter Wallet, and other crypto websites. All of them are written in Russian. The malware distributed through the website is generic, the researchers added, with LummaStealer standing out as a more notable name. All of the sites are linked to the same IP address, which means that a single entity is running the entire operation. Koi Security reported its findings to Mozilla, which swiftly removed all malicious add-ons from its repository. However, users who downloaded them in the meantime will remain at risk until they delete the add-ons from their browsers and refresh all login credentials.

GreedyBear Hackers Steal $1M+ in Crypto Hack Using 650-Tools and Fake Wallet Extensions

The GreedyBear carried out a $1 million crypto hack using 650 malicious tools and over 100 weaponized extensions.| Credit: Pexels. * GreedyBear stole over $1 million from users using 150 malicious Firefox extensions and nearly 500 malicious Windows executables. * The group used "Extension Hollowing" to turn trusted Firefox extensions into crypto-stealing tools. * Chainalysis reports $2.17 billion stolen in 2025, already surpassing all of 2024. Cybersecurity firm Koi Security has exposed a $1 million crypto hack by threat actor group GreedyBear, revealing the use of 650 malicious tools and over 100 weaponsized fake extensions. The attack reportedly hijacked 150 Firefox extensions, impersonating popular crypto wallets, tricking users, and bypassing Firefox's security systems. GreedyBear Crypto Hack According to a blog post from Koi Security, the GreedyBear hack saw users lose over $1 million in crypto through a new technique called "Extension Hollowing." Rather than attempting to sneak malware through initial marketplace reviews, GreedyBear first builds credibility with benign uploads, then swaps them for weaponized versions later. The process timeline: * Open a new marketplace account. * Post 5-7 innocuous extensions (link sanitizers, YouTube downloaders, utilities) with no real functionality. * Flood the listings with fake positive reviews. * Replace the code with malicious payloads while keeping the name, ratings, and install base intact. "This approach allows GreedyBear to bypass marketplace security by appearing legitimate during the initial review process, then weaponizing established extensions that already have user trust and positive ratings," Koi Security explained. Once active, the malicious extensions capture wallet credentials directly from user input fields in the extension, transmit the victim's IP address, and exfiltrate data to a remote server controlled by the group. Koi Security links this escalation to the earlier Foxy Wallet campaign, which involved 40 malicious extensions. The scale has now "more than doubled," according to the security firm. Windows Executibles In addition to the browser add-ons, nearly 500 malicious Windows executables were traced to GreedyBear's infrastructure, according to the security firm. Most were reportedly distributed through Russian websites hosting cracked or pirated software. The group has also stood up a network of scam websites posing as legitimate crypto hardware wallets and wallet-repair services. Unlike traditional phishing pages, these sites are presented as polished product landing pages, complete with fabricated UI mockups and fake branding. Crypto Hacks on the Rise The crypto industry is facing its most devastating year on record for theft, with over $2.17 billion stolen from services in the first half of 2025, according to new data from blockchain analytics firm Chainalysis. That figure already surpasses 2024, and if current trends hold, service-related thefts could eclipse $4 billion by year's end. The most consequential incident came in March, when North Korean hackers stole $1.5 billion from crypto exchange ByBit. Chainalysis said the breach accounted for 69% of all funds stolen from services this year. While service breaches dominate the headlines, Chainalysis also warned that personal wallets are becoming growing targets of stolen funds, representing 23.35% of all theft activity YTD. The firm said this is due to more individual crypto holders and the development of more "sophisticated individual-targeting techniques, potentially facilitated by the growth in easy-to-deploy LLM AI tools." In 2025, Chainalysis said that stolen fund activity is "the dominant concern" for the crypto ecosystem.