GreedyBear Crypto Heist: $1M Stolen Through Malicious Firefox Extensions and AI-Powered Tactics

Reviewed byNidhi Govil

4 Sources

A sophisticated cybercrime campaign dubbed 'GreedyBear' has stolen over $1 million in cryptocurrency using malicious Firefox extensions and AI-generated tools, highlighting the evolving threats in the crypto space.

GreedyBear Campaign Exploits Firefox Add-ons

A sophisticated cybercrime operation dubbed 'GreedyBear' has successfully stolen over $1 million in cryptocurrency by exploiting vulnerabilities in the Firefox browser's add-on ecosystem. The campaign, uncovered by Koi Security, involves more than 150 malicious extensions that impersonate popular cryptocurrency wallets such as MetaMask, TronLink, and Rabby 1.

Source: Bleeping Computer

Source: Bleeping Computer

The attackers employed a novel technique called "Extension Hollowing" to bypass Mozilla's security measures. This method involves initially uploading benign extensions to build credibility, then later replacing them with malicious versions that capture wallet credentials and users' IP addresses 2.

AI-Powered Tactics and Expansion

What sets GreedyBear apart is its use of artificial intelligence to scale operations and evade detection. The campaign's code shows clear signs of AI-generated artifacts, enabling attackers to diversify payloads and recover quickly from takedowns 1.

The operation has expanded beyond Firefox, with evidence of similar tactics being employed on the Chrome Web Store. A malicious Chrome extension named "Filecoin Wallet" was found using the same data-theft logic and communicating with the GreedyBear command-and-control server 2.

Broader Malware Distribution Network

GreedyBear's activities extend beyond browser extensions. The group has been linked to a network of Russian-language websites distributing pirated software, which serve as vectors for deploying various malware, including information stealers and ransomware 3.

Additionally, the attackers have set up scam websites impersonating legitimate cryptocurrency services like Trezor and Jupiter Wallet, as well as fake wallet repair tools. All these malicious sites are connected to a single IP address (185.208.156.66), which acts as the command-and-control hub for the entire operation 1.

Source: The Hacker News

Source: The Hacker News

Escalating Crypto Theft Trends

The GreedyBear campaign is part of a larger trend of increasing cryptocurrency thefts. According to Chainalysis, over $2.17 billion has been stolen from crypto services in the first half of 2025, already surpassing the total for all of 2024 4.

This surge in crypto theft is attributed to more sophisticated targeting techniques, potentially facilitated by the growth of easily deployable AI tools. Personal wallets are becoming increasingly targeted, representing 23.35% of all theft activity year-to-date 4.

Mitigation and User Precautions

While Mozilla has removed the identified malicious extensions from its add-on store, users who have already installed them remain at risk. Experts advise Firefox users to be cautious when installing extensions, especially those related to cryptocurrency wallets 3.

Source: TechRadar

Source: TechRadar

To minimize risks, users should thoroughly read reviews, check extension and publisher details before installation, and preferably download wallet extensions directly from official project websites or verified links 2.

Explore today's top stories

Meta Explores Partnerships with Google and OpenAI to Enhance AI Features

Meta Platforms is considering collaborations with AI rivals Google and OpenAI to improve its AI applications, potentially integrating external models into its products while developing its own AI capabilities.

Reuters logoengadget logoEconomic Times logo

5 Sources

Technology

1 day ago

Meta Explores Partnerships with Google and OpenAI to

Meta Implements Strict AI Chatbot Rules to Protect Teen Users

Meta announces significant changes to its AI chatbot policies, focusing on teen safety by restricting conversations on sensitive topics and limiting access to certain AI characters.

TechCrunch logoReuters logoCNBC logo

8 Sources

Technology

1 day ago

Meta Implements Strict AI Chatbot Rules to Protect Teen

Meta's Unauthorized Celebrity AI Chatbots Spark Controversy and Legal Questions

Meta faces scrutiny for hosting AI chatbots impersonating celebrities without permission, raising concerns about privacy, ethics, and potential legal implications.

Reuters logoengadget logoU.S. News & World Report logo

7 Sources

Technology

1 day ago

Meta's Unauthorized Celebrity AI Chatbots Spark Controversy

AI-Enabled Stethoscope Revolutionizes Heart Condition Detection in Seconds

A groundbreaking AI-powered stethoscope has been developed that can detect three major heart conditions in just 15 seconds, potentially transforming early diagnosis and treatment of heart diseases.

Medical Xpress logoBBC logoThe Guardian logo

5 Sources

Health

17 hrs ago

AI-Enabled Stethoscope Revolutionizes Heart Condition

UK Lawmakers Accuse Google DeepMind of Violating AI Safety Pledges with Gemini 2.5 Pro Release

A group of 60 UK parliamentarians have accused Google DeepMind of breaching international AI safety commitments by delaying the release of safety information for its Gemini 2.5 Pro model.

TIME logoFortune logo

2 Sources

Policy

1 day ago

UK Lawmakers Accuse Google DeepMind of Violating AI Safety
TheOutpost.ai

Your Daily Dose of Curated AI News

Don’t drown in AI news. We cut through the noise - filtering, ranking and summarizing the most important AI news, breakthroughs and research daily. Spend less time searching for the latest in AI and get straight to action.

© 2025 Triveous Technologies Private Limited
Instagram logo
LinkedIn logo