Russian hackers steal $1M in crypto via 150 Firefox extensions

Generated by AI AgentCoin World
Sunday, Aug 10, 2025 11:50 am ET1min read
Aime RobotAime Summary

- Russian-linked group GreedyBear stole $1M via 150 weaponized Firefox extensions targeting crypto users, using "Extension Hollowing" to bypass security checks.

- Malicious extensions steal wallet credentials while mimicking popular crypto wallets, with nearly 500 Windows malware files and phishing sites further expanding their attack arsenal.

- Centralized infrastructure via IP 185.208.156.66 highlights operational sophistication, as experts warn users to verify software sources and enable multi-factor authentication.

A Russian-linked cybercriminal group known as GreedyBear has significantly escalated its operations, deploying 150 weaponized Firefox extensions to target cryptocurrency users globally, with a particular focus on English-speaking victims. According to cybersecurity firm Koi Security, the group has stolen over $1 million in cryptocurrency within just five weeks through this campaign [1]. The group has nearly tripled its extension-based attack arsenal, having previously used only 40 malicious extensions between April and July 2025 [7].

The tactics employed by GreedyBear involve a method known as “Extension Hollowing,” where the group initially uploads legitimate versions of popular crypto wallet extensions—such as MetaMask, Exodus, Rabby Wallet, and TronLink—before updating them with malicious code. This allows the extensions to bypass security checks on the Firefox marketplace and remain undetected for extended periods [2]. Once installed, these extensions extract sensitive wallet credentials from users’ browsers, which are then used to access and drain their crypto assets [4]. Additionally, the group fabricates positive reviews for these extensions, further misleading users into trusting them [3].

Beyond the Firefox extensions, GreedyBear has also distributed nearly 500 malicious Windows executables on Russian software distribution platforms. These include credential stealers, ransomware, and trojans, often bundled with pirated or repackaged software [5]. The group also operates dozens of phishing websites that mimic legitimate cryptocurrency services, deceiving users into entering personal and financial information [6]. These sites are used to extract login credentials and siphon funds from victims' accounts.

Most of the attack domains are linked to a single IP address—185.208.156.66—suggesting a centralized infrastructure that may indicate a limited number of operators or a shared command-and-control system [7]. This structured approach reflects a growing sophistication and operational scale.

The campaign highlights the expanding threat landscape in the cryptocurrency sector. As users increasingly rely on browser extensions and downloadable software to manage digital assets, the risk of exposure to malicious actors like GreedyBear is rising. Security experts warn users to remain vigilant, especially when downloading extensions or software from third-party sources. Best practices such as using verified software, enabling multi-factor authentication, and regularly updating applications are essential to mitigate these risks [1].

Source:

[1] Yahoo - [https://finance.yahoo.com/news/russian-hacking-group-using-fake-150103130.html](https://finance.yahoo.com/news/russian-hacking-group-using-fake-150103130.html)

[2] AInvest - [https://www.ainvest.com/news/greedybear-crypto-scam-steals-1m-150-firefox-extensions-500-malware-executables-2508/](https://www.ainvest.com/news/greedybear-crypto-scam-steals-1m-150-firefox-extensions-500-malware-executables-2508/)

[3] Cryptorank - [https://cryptorank.io/news/feed/4f8db-greedybear-hackers-steal-1m-in-industrial-scale-crypto-theft](https://cryptorank.io/news/feed/4f8db-greedybear-hackers-steal-1m-in-industrial-scale-crypto-theft)

[4] Cryptopolitan - [https://www.cryptopolitan.com/greedybear-scam-uses-firefox-steal-1m-crypto/](https://www.cryptopolitan.com/greedybear-scam-uses-firefox-steal-1m-crypto/)

[5] GBHackers - [https://gbhackers.com/record-breaking-greedybear-attack-uses-650-hacking-tools/](https://gbhackers.com/record-breaking-greedybear-attack-uses-650-hacking-tools/)

[6] MSN - [https://www.msn.com/en-us/money/other/greedybear-hackers-steal-1m-in-crypto-hack-using-650-tools-and-fake-wallet-extensions/ar-AA1K901h](https://www.msn.com/en-us/money/other/greedybear-hackers-steal-1m-in-crypto-hack-using-650-tools-and-fake-wallet-extensions/ar-AA1K901h)

[7] FinanceFeeds - [https://financefeeds.com/greedybear-scam-group-ramps-up-crypto-theft/](https://financefeeds.com/greedybear-scam-group-ramps-up-crypto-theft/)

Comments



Add a public comment...
No comments

No comments yet