11.08.2025
2 min
530
The GreedyBear hacking group, known for stealing cryptocurrency, has gone on a larger scale, combining 150 malicious Firefox extensions, ransomware, and dozens of fake websites. According to researchers, the attackers have already stolen over 1 million $ in crypto assets.
According to Koi Security, GreedyBear is imitating popular crypto wallets, including MetaMask, TronLink, Exodus, and Rabby Wallet, through fake extensions. Using a technique called Extension Hollowing, the group first creates legitimate-looking extensions, builds trust, and then “arms” them with malicious code.
In addition to Firefox, there are signs that similar attacks are being prepared for Chrome. The scale of operations has more than doubled compared to the previous Foxy Wallet campaign, with nearly 500 malicious Windows files associated with credential theft, ransomware, and Trojans now detected.
In addition, the group creates phishing resources in the form of fake product pages that advertise digital wallets, hardware devices, or wallet “repairs.” Some of the sites are already live, while others are preparing to launch.
GreedyBear is linked to an infrastructure using the IP address 185.208.156.66, which acts as a central C2 node for collecting credentials, coordinating ransomware, and hosting fraudulent sites. The sources of distribution of the malicious files are mainly Russian resources with pirated or “repackaged” software.
Such complex attacks make it difficult for defenders to work, as the combination of different threat vectors allows attackers to act synchronously in multiple environments.
Experts warn that the increase in technical complexity of GreedyBear attacks and the use of artificial intelligence to automate fraud require users and companies to be more vigilant. Protection should include constant software updates, multi-factor authentication and checking extensions before installation.
