Russian Hackers Steal $1M in Crypto Using 150 Fake Firefox Extensions

Generated by AI AgentCoin World
Sunday, Aug 10, 2025 11:37 am ET1min read
Aime RobotAime Summary

- Russian-linked GreedyBear hackers stole $1M via 150 fake Firefox extensions mimicking legitimate crypto tools.

- Attackers used AI malware and rebranded defunct domains to infiltrate MetaMask/TronLink wallets and bypass security.

- Cybersecurity experts warn of rising sophistication in targeted attacks, with AI-enhanced tools automating theft processes.

- MetaMask urges users to verify extensions and avoid suspicious permissions as hackers exploit browser trust mechanisms.

- Incident highlights growing Russian cybercrime focus on crypto, with AI defenses now being developed to counter evolving threats.

A Russian-linked hacking group, GreedyBear, has launched a sophisticated campaign targeting cryptocurrency users by distributing over 150 malicious Firefox extensions designed to mimic legitimate software. These extensions infiltrate users' systems, granting attackers access to digital wallets such as MetaMask and TronLink, ultimately leading to the theft of over $1 million in cryptocurrency [1]. The operation, identified through cybersecurity advisories, underscores a troubling shift in cybercriminal tactics, where trust in widely used platforms is exploited to bypass security measures and siphon digital assets [2].

The group’s methods include the use of AI-guided malware and the re-registration of defunct domain names to create deceptive, trusted-looking clone applications. This allows threat actors to exploit users’ expectations of authenticity and security within the browser ecosystem [2]. MetaMask, a popular crypto wallet, has highlighted the risks posed by such tactics, noting that attackers are increasingly leveraging the reputations of inactive projects to gain access to user funds [1].

Cybersecurity experts have emphasized the sophistication of the GreedyBear operation, noting that unlike traditional phishing attacks, this campaign is highly targeted and technically advanced. The group’s ability to create undetectable malicious extensions and impersonate legitimate software reflects the growing professionalism of cybercriminal enterprises, many of which appear to have deep knowledge of digital infrastructure and user behavior [1].

The financial impact of the GreedyBear campaign has so far been limited to individual losses rather than large-scale protocol breaches, mitigating broader ecosystem-wide damage. However, the use of AI-enhanced tools to automate and refine the attack process raises significant concerns for the future of wallet security [2]. In response, MetaMask and other developers are exploring AI-based defenses that can identify and alert users to suspicious transactions before they are finalized [2].

This incident adds to a broader trend of Russian cybercriminals intensifying their focus on the cryptocurrency sector. Previous operations have involved phishing schemes, fake wallet apps, and even malware-laden job applications. The adaptability and persistence of these groups continue to challenge the cybersecurity community’s efforts to protect digital assets [3]. As the crypto market grows, so too does the incentive for cybercriminals to exploit vulnerabilities in the platforms that support it.

Users are being advised to exercise caution when installing browser extensions, particularly those that request unnecessary permissions or display unexplained functionalities. Verifying the authenticity of software and maintaining up-to-date security protocols are essential steps in reducing exposure to such threats [2].

---

Source:

[1] Yahoo – [https://finance.yahoo.com/news/russian-hacking-group-using-fake-150103130.html](https://finance.yahoo.com/news/russian-hacking-group-using-fake-150103130.html)

[2] The Hacker News – [https://thehackernews.com/2025/08/greedybear-steals-1m-in-crypto-using.html](https://thehackernews.com/2025/08/greedybear-steals-1m-in-crypto-using.html)

[3] CCN.com – [https://www.ccn.com/news/crypto/greedybear-hackers-steal-1m-in-crypto-hack-using-650-tools-and-fake-wallet-extensions/](https://www.ccn.com/news/crypto/greedybear-hackers-steal-1m-in-crypto-hack-using-650-tools-and-fake-wallet-extensions/)

Comments



Add a public comment...
No comments

No comments yet