- GreedyBear, a Russian Hacking group, has stolen $1 million in cryptocurrency in five weeks using new attack methods.
- The group deployed 150 modified Firefox browser extensions to target users worldwide.
- Attackers created fake versions of popular crypto wallets like MetaMask, Exodus, Rabby Wallet, and TronLink.
- Besides browser extensions, nearly 500 malicious Windows programs and multiple phishing websites were used.
- Investigators say the campaign operates from a single IP address, suggesting criminal rather than state-sponsored activity.
GreedyBear, a Russian cybercrime group, has stolen $1 million over the last five weeks, according to research by Koi Security. The group used 150 malicious Firefox browser extensions and other attack methods to target cryptocurrency users internationally.
The operation involved fake versions of widely used crypto wallets—including MetaMask, Exodus, Rabby Wallet, and TronLink—disguised as legitimate browser add-ons. Koi Security reported the campaign also used close to 500 harmful Windows executables and dozens of phishing websites to trick victims into giving up their private wallet credentials.
“The Firefox campaign is by far its most lucrative attack vector, having gained them most of the $1 million reported,” said Koi Security CTO Idan Dardikman, as quoted in Decrypt. Attackers used “Extension Hollowing,” a method where harmless extensions are uploaded first, then updated later with harmful code to bypass browser marketplace checks. The group posted fake user reviews to make these add-ons seem trustworthy.
Once a user installs the malicious extension, the software steals wallet credentials, allowing thieves to access and drain cryptocurrency funds. This recent campaign marks a large jump from GreedyBear’s previous attacks; their last major effort used only 40 extensions over several months, compared to 150 in just over a month this time.
GreedyBear’s other techniques included spreading harmful software programs on Russian websites that offer pirated or altered software. These programs contain tools such as credential stealers, Ransomware, and trojans, pointing to a flexible Malware operation.
The campaign also ran dozens of phishing sites pretending to be crypto wallet services, repair shops, or hardware device sellers. These websites encouraged users to enter private information, which was used to steal assets. Koi Security traced almost all related web domains to a single IP address: 185.208.156.66.
Dardikman explained that running everything through one central IP suggests a tightly controlled criminal group, rather than a government-backed operation, because state actors usually use distributed networks to avoid single points of failure.
He advised users to install only browser extensions from verified developers and avoid pirated software sites. He also recommended using official wallet software, switching to hardware wallets for significant holdings, and only purchasing devices from official manufacturer websites, since fake hardware wallet sites are part of the scam. More information is available via Koi Security’s detailed report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Global Shift to Local Currencies Accelerates as Dollar Weakens
- Embargo Ransomware Tied to $34M Crypto Hits US Hospitals, Pharma
- Michael Saylor Unfazed by Ether Surge, Remains Laser-Focused on BTC
- Chainlink Surges 15%; Analysts Predict New All-Time High for LINK
- Nyan Cat Creator Claims $700K in Royalties Amid Meme Coin Boom
