GreedyBear Crypto Scam Steals $1M Using 150 Firefox Extensions and 500 Malware Executables

Generated by AI AgentCoin World
Friday, Aug 8, 2025 10:10 am ET2min read
FIL
--
Aime RobotAime Summary

- GreedyBear crypto scam group stole $1M via 150 Firefox extensions and 500 Windows malware, targeting MetaMask and other wallets.

- Malicious extensions mimic legitimate tools, steal credentials, and track victims' IPs to refine targeting strategies.

- Campaign uses AI-enhanced malware, fake service websites, and centralized C2 server (185.208.156.66) for coordinated attacks.

- Cybersecurity experts warn of cross-browser expansion as attackers adapt techniques to evade detection and scale operations.

Analysts have uncovered a large-scale cryptocurrency scam operation led by a group known as GreedyBear, which has stolen over $1 million from victims through a sophisticated campaign involving malicious Firefox browser extensions [1]. The operation, detailed by cybersecurity firm Koi Security, involves the deployment of 150 weaponized Firefox extensions alongside 500 malicious Windows executables, targeting users across multiple platforms [1].

The scam group primarily focuses on popular cryptocurrency wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet, creating fake extensions that mimic their interfaces to steal user credentials when users attempt to log in [1]. The extensions are often disguised as legitimate tools like link sanitizers and YouTube downloaders, with fresh publisher names to establish credibility. Once the extensions receive positive reviews from users, the attackers modify the extensions by altering their names, icons, and injecting malicious code while retaining the positive reputation [1].

The stolen credentials are sent to remote servers controlled by the criminal group for further exploitation [1]. Additionally, the extensions transmit the IP addresses of victims upon startup, enabling the attackers to track users and refine their targeting strategies [1]. This strategy follows a similar pattern to the previous Foxy Wallet campaign, which involved 40 malicious extensions, but the current operation has expanded significantly in scope [1].

Beyond browser extensions, the GreedyBear campaign utilizes nearly 500 malicious Windows executables distributed through Russian websites offering cracked or pirated software [1]. These include credential stealers like LummaStealer, which target crypto wallet information stored locally, as well as ransomware variants that encrypt user files and demand cryptocurrency payments for decryption keys [1]. The group also employs generic trojans to establish backdoor access for future attacks [1].

In addition to software-based attacks, the group operates fake cryptocurrency service websites that mimic legitimate platforms to extract sensitive information such as private keys and wallet recovery phrases [1]. For example, one reported scam site claimed to offer technical support for repairing damaged Trezor hardware wallets while harvesting user credentials [1]. These sites often appear authentic, making it difficult for victims to distinguish them from genuine services [1].

A centralized IP address—185.208.156.66—serves as the command and control center for the entire operation, connecting all components of the campaign including extensions, malware payloads, and phishing websites [1]. This centralized infrastructure enables streamlined coordination and data aggregation across multiple attack vectors [1]. The same IP has also been used by a malicious Chrome extension named

Filecoin
Wallet, indicating the group’s intent to expand its activities beyond Firefox [1].

Cybersecurity experts have noted that artificial intelligence tools appear to have contributed to the speed and complexity of the GreedyBear campaign [1]. The use of AI in malware development likely enhances the group’s ability to evade detection and rapidly iterate on new attack methods [1]. As the operation continues to evolve, analysts warn that similar campaigns may soon emerge on other major browsers, including Chrome and Edge, given the group’s demonstrated adaptability across platforms [1].

Source: [1] Analysts expose GreedyBear crypto scam campaign that stole $1M via Firefox extensions (https://coinmarketcap.com/community/articles/689602ca05f6c41c6f2e4399/)