Close Menu
AsiaTokenFundAsiaTokenFund
  • Home
  • Crypto News
    • Bitcoin
    • Altcoin
  • Web3
    • Blockchain
  • Trading
  • Regulations
    • Scams
  • Submit Article
  • Contact Us
  • Terms of Use
    • Privacy Policy
    • DMCA
What's Hot

Under $0.10 but already up 500% in 2025: why top BTC and SOL holders are stacking XRP’s newest rival

August 8, 2025

AI Picks Its Top Gainer For The 2025 Bull Run: Spoiler – It’s Not Shiba Inu (SHIB) or Dogecoin (DOGE)

August 8, 2025

China Bans Stablecoin Promotions Amid Fraud Fears

August 8, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) YouTube LinkedIn
AsiaTokenFundAsiaTokenFund
ATF Capital
  • Home
  • Crypto News
    • Bitcoin
    • Altcoin
  • Web3
    • Blockchain
  • Trading
  • Regulations
    • Scams
  • Submit Article
  • Contact Us
  • Terms of Use
    • Privacy Policy
    • DMCA
AsiaTokenFundAsiaTokenFund

GreedyBear Hackers Steal $1M+ in ‘Industrial Scale’ Crypto Theft

0
By Aggregated - see source on August 8, 2025 Blockchain
Share
Facebook Twitter LinkedIn Pinterest Email

Crypto Journalist

Anas Hassan

Crypto Journalist

Anas Hassan

About Author

Anas is a crypto native journalist and SEO writer with over five years of writing experience covering blockchain, crypto, DeFi, and emerging tech.

Share

Last updated: 

August 8, 2025


Why Trust Cryptonews

Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas – from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

GreedyBear Hackers Steal $1M+ in 'Industrial Scale' Crypto Theft Using Multi-Vector Attack

Cybersecurity firm Koi Security exposed the GreedyBear attack group’s sophisticated operation, utilizing 150 weaponized Firefox extensions, nearly 500 malicious executables, and dozens of phishing websites to steal over $1 million in crypto.

The coordinated campaign employed a novel “Extension Hollowing” technique to bypass marketplace security by building legitimate-seeming extension portfolios before weaponizing them with malicious code.

Single Server Controls $1M+ Theft Operation

The attack group consolidated operations through a single server, controlling command infrastructure across browser extensions, malware payloads, and scam websites.

GreedyBear evolved from the previously identified “Foxy Wallet” campaign involving 40 malicious extensions. They now show massive scale and coordination in crypto-focused cybercrime operations.

The malicious Firefox extensions impersonated popular cryptocurrency wallets, including MetaMask, TronLink, Exodus, and Rabby Wallet, while capturing credentials directly from user input fields.

GreedyBear Hackers Steal $1M+ in 'Industrial Scale' Crypto Theft Using Multi-Vector Attack
Source: Koi Security

Nearly 500 Windows executables spanning multiple malware families targeted victims through Russian websites distributing cracked software, while fake product landing pages advertised fraudulent hardware wallets and repair services.

Security researchers identified clear signs of AI-generated code artifacts throughout the campaign, enabling attackers to scale operations rapidly and evade detection systems.

The infrastructure expansion includes confirmed Chrome extension variants and suggests imminent cross-platform deployment to Edge and other browser ecosystems beyond Firefox.

Extension Hollowing Technique Bypasses Marketplace Security Through Trust Building

GreedyBear pioneered the Extension Hollowing methodology by creating publisher accounts and uploading 5-7 innocuous extensions, such as link sanitizers and YouTube downloaders, with no functional capabilities.

GreedyBear Hackers Steal $1M+ in 'Industrial Scale' Crypto Theft Using Multi-Vector Attack
Source: Koi Security

The attackers posted dozens of fake positive reviews to build credibility ratings before weaponizing established extensions by changing names, icons, and injecting malicious code.

This approach allowed bypassing marketplace security during initial reviews while maintaining positive ratings and user trust from the hollowed extension’s legitimate history.

The weaponized extensions transmitted victim IP addresses during initialization while capturing wallet credentials from pop-up interfaces and exfiltrating data to remote servers.

The campaign originated from the Foxy Wallet operation but evolved beyond the initial 40 malicious extensions to over 150 weaponized Firefox add-ons.

Source: Koi Security

Victims reported substantial losses as extensions maintained expected wallet functionality while secretly transmitting credentials to attacker-controlled infrastructure.

Koi Security confirmed connections to Chrome through a “Filecoin Wallet” extension communicating with the same server.

The group’s systematic approach to marketplace manipulation and trust exploitation created sustainable distribution channels for credential theft operations, which OKX and Microsoft have warned about earlier this year.

Multi-Platform Campaign Coordinates Malware Distribution Through Centralized Infrastructure

The 500 malicious Windows executables encompassed multiple malware families. Distribution occurred through Russian websites hosting cracked and pirated software, targeting users seeking free alternatives to legitimate applications.

Scam websites masqueraded as Jupiter-branded hardware wallets with fabricated UI mockups and wallet repair services claiming to fix Trezor devices.

GreedyBear Hackers Steal $1M+ in 'Industrial Scale' Crypto Theft Using Multi-Vector Attack
Source: Koi Security

The fraudulent landing pages collected personal information, wallet credentials, and payment details through convincing product demonstrations and service offerings.

The centralized server infrastructure enabled streamlined operations across credential collection, ransomware coordination, and phishing campaigns while maintaining operational security.

All domains resolved to the single IP address, which creates a unified command-and-control system for the multi-vector attack campaign.

The campaign’s AI-assisted scaling capabilities enabled rapid payload diversification and detection evasion, which is starting to look like the new normal for crypto-focused cybercrime operations.

Legacy security solutions face increasing challenges as attackers leverage sophisticated automation tools to accelerate attack development and deployment cycles.

Recent large-scale incidents include $1 million in YouTube account hijacking scams, $3.05 million phishing losses, and the $4.5 million CrediX exploit that was subsequently recovered through hacker negotiations.

Many experts have criticized the current crypto security landscape for enabling unethical actions, particularly in the negotiation approach.

Speaking with Cryptonews, Circuit CEO Harry Donnelly criticized negotiation-based recovery methods following recent CrediX protocol fund returns, stating that “automated threat response should be standard to ensure assets are kept out of harm’s way, rather than hoping to bargain with bad actors.”

He emphasized that “the CrediX recovery is a rare win in a system that too often leaves users with little recourse.”

This comes as the cumulative total for the first half of 2025 has hit $2.2 billion in losses through 344 incidents only.


Credit: Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

TRON (TRX) Hits $0.34 as $1 Billion Buyback Program Drives Massive Rally

August 8, 2025

Blockchain Association’s Summer Mersinger Praises Exec Orders

August 7, 2025

NYDFS Secures Settlement From Paxos Over Binance Dealings

August 7, 2025
Leave A Reply Cancel Reply

What's New Here!

Under $0.10 but already up 500% in 2025: why top BTC and SOL holders are stacking XRP’s newest rival

August 8, 2025

AI Picks Its Top Gainer For The 2025 Bull Run: Spoiler – It’s Not Shiba Inu (SHIB) or Dogecoin (DOGE)

August 8, 2025

China Bans Stablecoin Promotions Amid Fraud Fears

August 8, 2025

Pepeto (PEPETO) Price Forecast: Can a $2,000 Bet Grow Into $1 Million Before the Next Bitcoin Halving?

August 8, 2025
AsiaTokenFund
Facebook X (Twitter) LinkedIn YouTube
  • Home
  • Crypto News
    • Bitcoin
    • Altcoin
  • Web3
    • Blockchain
  • Trading
  • Regulations
    • Scams
  • Submit Article
  • Contact Us
  • Terms of Use
    • Privacy Policy
    • DMCA
© 2025 asiatokenfund.com - All Rights Reserved!

Type above and press Enter to search. Press Esc to cancel.

Ad Blocker Enabled!
Ad Blocker Enabled!
Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.