GreedyBear Unmasked: How Stealthy Firefox Extensions and Fake Sites Stole $1M in Crypto

Koi Security’s research team has unveiled GreedyBear, a threat group orchestrating industrial-scale cryptocurrency theft through a seamless blend of browser extensions, malware executables, and fraudulent websites.

“150 weaponized Firefox extensions. nearly 500 malicious executables. Dozens of phishing websites. One coordinated attack infrastructure. According to user reports, over $1 million stolen,” Koi Security states.

GreedyBear is no longer a group dabbling in one attack vector. The campaign’s tactics include:

1. Weaponized Firefox Extensions
Over 150 malicious extensions have been published to the Firefox marketplace, masquerading as trusted cryptocurrency wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet. The group uses a technique dubbed Extension Hollowing:

• Build a portfolio of harmless utilities with fake positive reviews.
• Once trust is established, replace them with malicious versions that capture wallet credentials.
• Send stolen data — including IP addresses — to a remote C2 server.

This mirrors their earlier Foxy Wallet campaign but has now doubled in scale.

2. Nearly 500 Malicious Executables
Koi Security identified almost 500 malicious Windows executables linked to the same infrastructure, spanning credential stealers, ransomware, and trojans.
These are mainly distributed via Russian websites offering cracked or pirated software, indicating a robust malware delivery pipeline.

“The reuse of infrastructure across these binaries and the browser extensions points to a centralized backend… run by the same threat group.”

3. High-Quality Scam Sites
GreedyBear also operates professional-looking scam sites advertising fake wallets, hardware devices, and “repair services” for brands like Trezor. These aren’t typical login phishing portals — they’re full product pages designed to convince victims to hand over wallet seeds or credit card data.

Perhaps the most telling discovery: almost all malicious domains resolve to 185.208.156.66, serving as the central hub for C2, credential collection, ransomware coordination, and scam hosting.

GreedyBear’s ambitions aren’t limited to Firefox. Earlier detection of a malicious Chrome “Filecoin Wallet” extension linked to the same IP suggests cross-browser expansion.

The campaign also shows AI-generated code artifacts, which Koi Security warns enable attackers to “scale operations, diversify payloads, and evade detection” faster than ever.

“This isn’t a passing trend — it’s the new normal. As attackers arm themselves with increasingly capable AI, defenders must respond with equally advanced security tools and intelligence.”

Related Posts:

• North Korean Hackers Deploy RustDoor and Koi Stealer to Target Cryptocurrency Developers on macOS
• New Chrome and Firefox malicious extensions prevent user removal to hijack browsers
• North Korean Cyberattacks Persist: Developers Targeted via npm
• Raven Stealer: New MaaS Infostealer Plunders Data via Reflective Process Hollowing & Telegram Exfil