A sophisticated cybercriminal group known as GreedyBear has orchestrated a large-scale operation resulting in the theft of over $1 million in cryptocurrency. This campaign employs a combination of malicious browser extensions, crypto-targeting malware, and deceptive websites, highlighting the evolving complexity of cyber threats in the digital asset space.
Malicious Browser Extensions:
GreedyBear has infiltrated the Firefox browser marketplace by publishing over 150 counterfeit extensions that mimic popular cryptocurrency wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet. These extensions initially appear legitimate, allowing them to pass Mozilla’s security reviews. However, once installed, they are updated with malicious code designed to capture users’ wallet credentials directly from the interface. This method, termed Extension Hollowing, enables the attackers to exploit user trust and bypass initial security checks. ([thehackernews.com](https://thehackernews.com/2025/08/greedybear-steals-1m-in-crypto-using.html?utm_source=openai))
Crypto-Targeting Malware:
In addition to malicious extensions, GreedyBear has distributed nearly 500 malware programs targeting cryptocurrency users. These include credential stealers like LummaStealer, which extract wallet information, and ransomware variants such as Luca Stealer, designed to demand cryptocurrency payments. The malware is primarily disseminated through Russian websites offering cracked or pirated software, further expanding the group’s reach. ([cointelegraph.com](https://cointelegraph.com/news/greedybear-scam-crypto-theft-industrial-scale-koi-security?utm_source=openai))
Deceptive Websites:
The third prong of GreedyBear’s attack involves a network of fraudulent websites posing as legitimate cryptocurrency products and services. These sites are crafted to closely resemble genuine platforms, advertising digital wallets, hardware devices, or wallet repair services. Unsuspecting users are tricked into entering sensitive information, leading to credential theft and financial fraud. ([cointelegraph.com](https://cointelegraph.com/news/greedybear-scam-crypto-theft-industrial-scale-koi-security?utm_source=openai))
Centralized Command and Control:
All components of the GreedyBear operation are controlled from a single server and IP address, acting as a central hub for command-and-control, credential collection, ransomware coordination, and scam websites. This centralized infrastructure allows the attackers to streamline operations across multiple channels, enhancing the efficiency and scale of their campaign. ([cointelegraph.com](https://cointelegraph.com/news/greedybear-scam-crypto-theft-industrial-scale-koi-security?utm_source=openai))
Use of AI-Generated Code:
Analyses of the campaign have uncovered signs of AI-generated code, enabling rapid scaling and diversification of crypto-targeting attacks. This represents a new evolution in crypto-focused cybercrime, allowing threat actors to adapt quickly and deploy a range of complex scams to target cryptocurrency users. ([cointelegraph.com](https://cointelegraph.com/news/greedybear-scam-crypto-theft-industrial-scale-koi-security?utm_source=openai))
Implications and Recommendations:
The GreedyBear campaign underscores the need for stronger vetting by browser vendors, developer transparency, and user vigilance. Users are advised to exercise caution when installing browser extensions or downloading software online, ensuring they originate from reputable sources. Additionally, the use of AI-generated code in cyber attacks highlights the importance of developing advanced detection and prevention mechanisms to counteract these evolving threats. ([cointelegraph.com](https://cointelegraph.com/news/greedybear-scam-crypto-theft-industrial-scale-koi-security?utm_source=openai))
