- The Russian cybercrime group GreedyBear has stolen over US$1 million in crypto in just five weeks.
- The group achieved this by creating over 150 malicious Firefox extensions that impersonate popular crypto wallets like MetaMask and TronLink.
- According to security firm Koi Security, this campaign represents a new, “industrial scale” of crypto theft.
The GreedyBear hacking group, linked to Russian cybercriminal circles, has stolen more than US$1M (AU$1.55M) in cryptocurrency by targeting users of MetaMask and TronLink wallets through malicious Firefox extensions.
These fake add-ons, crafted to appear legitimate, compromised wallets once installed. Moreover, investigators say the attackers deployed AI-assisted malware to steal credentials, a tactic MetaMask’s own security team has previously warned about.
The group reportedly used over 650 malicious tools, including 150 fake browser extensions, highlighting how browser-based attacks can bypass conventional protections.
Related: SBI Holdings to Launch Japan’s First Bitcoin and XRP ETF
A New Standard For Cybercriminals
It looks like GreedyBear is raising the bar for cybercrime, not by targeting bigger crypto sites, but thinking like a Fortune 500 company, at least according to Koi Security researcher Tuval Admoni.
Admoni said the group’s approach breaks from the norm by combining three distinct attack methods rather than focusing on a single vector.
Over 650 malicious tools have been identified, including more than 150 fake Firefox extensions impersonating wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet.
Using an “Extension Hollowing” tactic, GreedyBear initially publishes legitimate extensions to pass security reviews before injecting malicious code that captures wallet credentials through counterfeit interfaces.
Almost all domains — across extensions, EXE payloads, and phishing sites — resolve to a single IP address: 185.208.156.66. This server acts as a central hub for command-and-control (C2), credential collection, ransomware coordination, and scam websites, allowing the attackers to streamline operations across multiple channels.
The New Normal (With AI In It)
The second attack layer relies on nearly 500 malware samples, including LummaStealer for harvesting wallet data and ransomware strains like Luca Stealer (an open-source Rust-based malware) demanding cryptocurrency payments.
These are largely distributed via Russian sites offering pirated or cracked software.
The final component is a network of fraudulent websites presented as legitimate wallet services, hardware device vendors, or repair platforms.
There’s also evidence of AI-generated code within the campaign, which points to faster development cycles and rapid scaling of attack types. That means an escalation in crypto-focused cybercrime.
Admoni warned that these blended strategies represent a “new normal” in the threat landscape, stressing the urgent need for stronger extension store vetting, developer transparency, and heightened user vigilance.
Related: Project Crypto: Bitwise Names Three Key Winners From the SEC’s Blockchain Utopia
The post GreedyBear Hackers Steal $1M Using Malicious Firefox Extensions appeared first on Crypto News Australia.