GreedyBear Hackers Steal $1M+ in ‘Industrial Scale’ Crypto Theft

Crypto Journalist

Anas Hassan

Crypto Journalist

Anas Hassan

About Author

Anas is a crypto native journalist and SEO writer with over five years of writing experience covering blockchain, crypto, DeFi, and emerging tech.

Share

Last updated: 

August 8, 2025

Cybersecurity firm Koi Security exposed the GreedyBear attack group’s sophisticated operation, utilizing 150 weaponized Firefox extensions, nearly 500 malicious executables, and dozens of phishing websites to steal over $1 million in crypto.

The coordinated campaign employed a novel “Extension Hollowing” technique to bypass marketplace security by building legitimate-seeming extension portfolios before weaponizing them with malicious code.

Single Server Controls $1M+ Theft Operation

The attack group consolidated operations through a single server, controlling command infrastructure across browser extensions, malware payloads, and scam websites.

GreedyBear evolved from the previously identified “Foxy Wallet” campaign involving 40 malicious extensions. They now show massive scale and coordination in crypto-focused cybercrime operations.

The malicious Firefox extensions impersonated popular cryptocurrency wallets, including MetaMask, TronLink, Exodus, and Rabby Wallet, while capturing credentials directly from user input fields.

Nearly 500 Windows executables spanning multiple malware families targeted victims through Russian websites distributing cracked software, while fake product landing pages advertised fraudulent hardware wallets and repair services.

Security researchers identified clear signs of AI-generated code artifacts throughout the campaign, enabling attackers to scale operations rapidly and evade detection systems.

The infrastructure expansion includes confirmed Chrome extension variants and suggests imminent cross-platform deployment to Edge and other browser ecosystems beyond Firefox.

Extension Hollowing Technique Bypasses Marketplace Security Through Trust Building

GreedyBear pioneered the Extension Hollowing methodology by creating publisher accounts and uploading 5-7 innocuous extensions, such as link sanitizers and YouTube downloaders, with no functional capabilities.

The attackers posted dozens of fake positive reviews to build credibility ratings before weaponizing established extensions by changing names, icons, and injecting malicious code.

This approach allowed bypassing marketplace security during initial reviews while maintaining positive ratings and user trust from the hollowed extension’s legitimate history.

The weaponized extensions transmitted victim IP addresses during initialization while capturing wallet credentials from pop-up interfaces and exfiltrating data to remote servers.

The campaign originated from the Foxy Wallet operation but evolved beyond the initial 40 malicious extensions to over 150 weaponized Firefox add-ons.

Victims reported substantial losses as extensions maintained expected wallet functionality while secretly transmitting credentials to attacker-controlled infrastructure.

Koi Security confirmed connections to Chrome through a “Filecoin Wallet” extension communicating with the same server.

The group’s systematic approach to marketplace manipulation and trust exploitation created sustainable distribution channels for credential theft operations, which OKX and Microsoft have warned about earlier this year.

Multi-Platform Campaign Coordinates Malware Distribution Through Centralized Infrastructure

The 500 malicious Windows executables encompassed multiple malware families. Distribution occurred through Russian websites hosting cracked and pirated software, targeting users seeking free alternatives to legitimate applications.

Scam websites masqueraded as Jupiter-branded hardware wallets with fabricated UI mockups and wallet repair services claiming to fix Trezor devices.

The fraudulent landing pages collected personal information, wallet credentials, and payment details through convincing product demonstrations and service offerings.

The centralized server infrastructure enabled streamlined operations across credential collection, ransomware coordination, and phishing campaigns while maintaining operational security.

All domains resolved to the single IP address, which creates a unified command-and-control system for the multi-vector attack campaign.

The campaign’s AI-assisted scaling capabilities enabled rapid payload diversification and detection evasion, which is starting to look like the new normal for crypto-focused cybercrime operations.

Legacy security solutions face increasing challenges as attackers leverage sophisticated automation tools to accelerate attack development and deployment cycles.

Recent large-scale incidents include $1 million in YouTube account hijacking scams, $3.05 million phishing losses, and the $4.5 million CrediX exploit that was subsequently recovered through hacker negotiations.

Many experts have criticized the current crypto security landscape for enabling unethical actions, particularly in the negotiation approach.

Speaking with Cryptonews, Circuit CEO Harry Donnelly criticized negotiation-based recovery methods following recent CrediX protocol fund returns, stating that “automated threat response should be standard to ensure assets are kept out of harm’s way, rather than hoping to bargain with bad actors.”

He emphasized that “the CrediX recovery is a rare win in a system that too often leaves users with little recourse.”

This comes as the cumulative total for the first half of 2025 has hit $2.2 billion in losses through 344 incidents only.