Analysts expose GreedyBear crypto scam campaign that stole $1M via Firefox extensions

The GreedyBear scam group has stolen over $1 million in cryptocurrency through a coordinated attack campaign.

Koi Security reported that the group launched 150 weaponized Firefox extensions in addition to 500 malicious executables. The operation used fake wallet extensions, phishing websites, and malware to target crypto users across multiple platforms.

Firefox extension fraud targets popular crypto wallets

The GreedyBear scam launched over 150 malicious extensions on the Firefox store targeting cryptocurrency users. The malicious extensions impersonate popular wallets like MetaMask, TronLink, Exodus, and Rabby Wallet. The extensions all copy legitimate wallet interfaces to hijack user credentials when users try to log in.

The hackers initially produce genuine-looking extensions like link sanitizers and YouTube downloaders with limited functionality. With a lineup of 5-7 generic utilities with fresh publisher names, they typically establish credibility in the long term.

Once the criminals have built trust through genuine positive reviews, they empty out these extensions totally. They alter names, icons, and inject harmful code but retain the original positive review history. This method enables harmful extensions to look trustworthy to new users surfing the marketplace.

The extensions work as instruments to obtain wallet credentials from input fields in their pop-up windows. The pilfered information is transmitted to remote servers controlled by the criminal group for exploitation in due course. Extensions also transmit victim IP addresses on startup for tracking.

This action is a follow-up to previous Foxy Wallet activity that identified 40 malicious extensions. The scope has now increased more than twice from the initial case. User reports confirm victims lost significant cryptocurrency value by using these fake wallet extensions over different intervals.

Multi-platform attack combines malware and scam websites

GreedyBear scam operates nearly 500 malicious Windows executables alongside their browser extension campaign. These programs spread through Russian websites that distribute cracked and pirated software to unsuspecting users. The malware collection spans multiple threat categories for maximum damage potential.

Credential stealers like LummaStealer target crypto wallet information stored on victim computers. Ransomware variants encrypt user files and demand cryptocurrency payments for decryption keys. Generic trojans provide backdoor access for additional payload delivery when needed.

The group also maintains an infrastructure of impersonator crypto service sites for data theft. The scam sites are legitimate-looking crypto services and are not typical phishing pages. Hardware wallets with the Jupiter brand also contain mockups of an interface that are falsified to trick potential purchasers into revealing payment details.

Another example cited in the report was wallet repair websites that claim to repair damaged Trezor products for frustrated customers. The impersonator websites harvest wallet recovery words and private keys while posing as technical support. Some domains are active while others are dormant, awaiting targeted attacks in the future.

The variety of attack methods shows that the GreedyBear scam operates a broad distribution pipeline rather than focusing on a single technique. This diversified approach allows the group to shift tactics based on what works best. The reuse of infrastructure across different malware families confirms centralized coordination behind all campaign components.

Centralized server controls global theft operations

GreedyBear operates their entire criminal enterprise through a single IP address at 185.208.156.66. Almost all domains used across extensions, malware payloads, and phishing sites connect to this central server. This hub handles command-and-control communications, credential collection, ransomware coordination, and scam website hosting.

The centralized infrastructure allows attackers to streamline operations across multiple attack channels efficiently. Data from browser extensions, malware infections, and website victims all flows to the same collection point. This approach simplifies management while providing comprehensive intelligence on target victims.

Koi Security discovered the group has already begun expanding beyond Firefox browsers. A malicious Chrome extension called Filecoin Wallet used identical credential theft methods months ago. This Chrome extension communicated with domains hosted on the same 185.208.156.66 server infrastructure.

The connection confirms GreedyBear is testing operations across different browser ecosystems. Chrome, Edge, and other browsers will likely face similar extension campaigns in the coming months. The group’s willingness to experiment across platforms shows its commitment to scaling operations.

AI tools have helped accelerate the campaign’s growth and complexity according to code analysis. Generated artifacts in the malware suggest artificial intelligence assists with payload creation and scaling. This technology allows faster development cycles and better evasion of security detection systems across different platforms.

Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.