- A campaign using over 150 fake Firefox extensions stole more than $1 million in cryptocurrency.
- The attackers copied popular crypto wallets to trick users and steal credentials.
- Malicious extensions bypassed security by starting as harmless apps, then adding harmful features later.
- The threat expands beyond Firefox, with similar attacks noted on Chrome and through scam sites.
- AI tools helped the attackers scale up, while related scams also used fake trading bots on YouTube to steal Ethereum.
A large-scale cyber campaign named GreedyBear has used more than 150 fraudulent browser extensions on the Firefox extension store to steal over $1 million in cryptocurrency. Attackers created fake versions of well-known crypto wallets—like MetaMask, TronLink, Exodus, and Rabby Wallet—to access credentials and digital assets.
According to Koi Security researcher Tuval Admoni, the attackers developed extensions that appeared trustworthy, using a method called “Extension Hollowing.” In this approach, they first released non-malicious browser add-ons to pass security checks before quietly adding malicious code later. The extensions collected users’ wallet credentials and IP addresses, forwarding the data to servers controlled by the group.
Rather than trying to sneak malicious extensions past initial reviews, they build legitimate-seeming extension portfolios first, then weaponize them later when nobody’s watching, Admoni stated in a published report. The group’s earlier campaign used at least 40 similar extensions under the name Foxy Wallet, but the current activity marks a much larger operation.
Attackers didn’t limit their reach to browser add-ons. They also spread Malware through pirated software websites and created scam sites imitating crypto services to steal more credentials. All three types of attacks were linked by a shared command-and-control server with the IP address 185.208.156[.]66, used for gathering stolen data.
Koi Security also found signs that the attackers may have leveraged Artificial Intelligence tools in their operations, helping them broaden their campaign and adapt tactics. The malicious activity has reached other browsers, including a Chrome extension called Filecoin Wallet, which used the same data theft patterns.
Meanwhile, security company SentinelOne reported a separate, related scam involving fake trading bots promoted on YouTube. These videos, mostly produced by AI, instructed viewers to deploy malicious Ethereum smart contracts, resulting in over $900,000 in stolen cryptocurrency. Accounts pushing these scams were often established and featured curated positive feedback to gain users’ trust.
Victims who followed these steps had their Ethereum rerouted to the scammers’ wallets, demonstrating how attackers exploit trust across multiple digital platforms for financial theft.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Ripple XRP Soars 11% as SEC Case Ends, Trump 401k Order Lifts Hopes
- Trump Executive Order Opens 401(k) Accounts to Cryptocurrency Investments
- Block Adds 108 BTC in Q2, Bitcoin Holdings Now Worth $1.15B
- Mystery Creator Nets $5M Launching Hundreds of Memecoins Daily
- Tornado Cash Co-Founder Roman Storm Guilty on Money Transmitting Charge
