AInvest Newsletter
Daily stocks & crypto headlines, free to your inbox
Cybercriminals Steal $1M via 150 Malicious Firefox Crypto Wallet Extensions
Generated by AI AgentCoin World
Sunday, Aug 10, 2025 11:31 am ET1min read
Aime SummaryA Russian-based cybercriminal group known as GreedyBear has launched a large-scale campaign targeting cryptocurrency users through the distribution of over 150 malicious Firefox extensions that mimic trusted crypto wallets like MetaMask, TronLink, and Exodus [4]. These fake extensions, which were initially approved on the Firefox Add-ons marketplace, bypassed security reviews through a method known as “Extension Hollowing” [1]. The tactic involves submitting benign versions of the extensions, which are later updated with malicious code to steal wallet credentials and siphon cryptocurrency [4]. According to Koi Security, this operation has already resulted in over $1 million in stolen assets within five weeks [1].
The group’s tactics also include the deployment of nearly 500 malicious Windows executables distributed through Russian-based software piracy sites and the creation of dozens of phishing websites posing as legitimate crypto services [4]. These websites are used to extract personal information and wallet credentials from unsuspecting users. The Firefox-based campaign primarily targets English-speaking users, while the executable-based attacks focus on Russian-speaking individuals [4]. Despite the diversity of methods, nearly all attack domains are traced back to a single IP address: 185.208.156.66, which serves as a central hub for coordination and data collection [1].
The centralized nature of the operation suggests a profit-driven cybercriminal group rather than a state-sponsored entity [4]. Idan Dardikman, CTO of Koi Security, noted that government-backed operations typically use distributed infrastructure to avoid centralized points of failure. GreedyBear’s activities reflect an evolving threat landscape in which attackers exploit user trust in well-known software brands to carry out industrial-scale theft [1]. The group’s use of fake reviews and social engineering techniques highlights the sophistication of their operations and the need for greater awareness among users regarding the risks associated with browser extensions [4].
Koi Security recommends that users only install extensions from verified developers with long histories and avoid untrusted or pirated software sites [4]. Dardikman also advised using hardware wallets for significant crypto holdings and purchasing them directly from official manufacturer websites, as GreedyBear has been known to create fake hardware wallet sites [4]. For those who rely on software wallets, the report emphasizes the importance of multi-signature setups and strong authentication protocols to prevent unauthorized access [4].
The scale and methodology of the GreedyBear campaign highlight the vulnerabilities in the broader cryptocurrency ecosystem, particularly the risks associated with decentralized finance and browser-based wallet usage [1]. As the attack vector evolves, so must the security measures employed by both platform providers and individual users. The incident also serves as a reminder of the growing trend in cybercrime that combines social engineering, phishing, and malware to extract sensitive information [1].
Source:
[1] https://gbhackers.com/record-breaking-greedybear-attack-uses-650-hacking-tools/
[4] https://thecyberpost.com/news/hackers/greedybear-steals-1m-in-crypto-using-150-malicious-firefox-wallet-extensions/
Coin World
Quickly understand the history and background of various well-known coins
Latest Articles
XRP News Today: Vanguard Shifts Stance on Crypto ETFs, Citing Matured Markets and Demand
Dec.02 2025
Alphabet's AI Ecosystem Fuels Flywheel Growth, Propelling Stock 68% in 2025
Dec.02 2025
Striking Baristas Secure $38.9M in Restitution, But Contract Battles Brew On
Dec.02 2025
Bitcoin News Today: Bitcoin's RSI Signals Cyclical Reset as Market Waits for Fed's Decisive Move
Dec.02 2025
Corporate Strategies Test Balance Between Growth and Sustainability
Dec.02 2025
Ainvest News articles are AI-generated using advanced large language model (LLM) technology designed to analyze and synthesize publicly available data and news. While AI tools assist in producing initial drafts and insights, all AI generated content published on Ainvest is subject to comprehensive human editorial review before publication. A designated human editor reviews, verifies, and approves each article for factual accuracy, coherence, and compliance with AInvest Fintech Inc’s editorial and disclosure standards.
Despite these review procedures, the information provided may still contain inaccuracies, incomplete data, or time sensitive references due to the inherent limitations of AI generated analysis and evolving changes. The material is provided strictly for informational and educational purposes and does not constitute personalized investment, legal, or financial advice. Readers should independently verify all facts, figures, and statements before making any decision based on this content.
AInvest Fintech Inc. its affiliates, and partners accept no liability or responsibility for any direct or consequential losses arising from reliance on this content. All articles and analyses are subject to revision, update, or removal without prior notice to maintain accuracy and integrity in our publications.
Comments
No comments yet