Russian hacking group GreedyBear has stolen over $1 million in cryptocurrency through a coordinated campaign deploying 150 malicious Firefox browser extensions, nearly 500 malware-infected executables, and dozens of phishing sites, according to Koi Security research. The operation, active over the past five weeks, exploited "extension hollowing" tactics—initially submitting harmless versions to the Firefox marketplace before updating them with malicious code to mimic legitimate wallets like MetaMask, Exodus, Rabby Wallet, and TronLink.
Koi Security CTO Idan Dardikman confirmed the Firefox campaign was GreedyBear's "most lucrative attack vector", responsible for the bulk of the stolen funds. The group bypassed security protocols by posting fake reviews and targeting international English-speaking users through extensions, while Russian-speaking victims were attacked via malicious software on piracy sites. Security researcher Tuval Admoni noted GreedyBear's unprecedented multi-vector approach: "Most groups pick a lane... GreedyBear said, ‘Why not all three?’ And it worked. Spectacularly."
The thefts, primarily affecting retail investors' non-custodial wallets, traced back to a single IP address (185.208.156.66), indicating centralized control by profit-driven criminals rather than state actors. Koi warned this scale of attack—up from 40 extensions in a prior April-July campaign—exposes critical vulnerabilities in browser-based wallet security. Experts urge stricter extension review processes, avoidance of pirated software, and migration to hardware wallets purchased exclusively from official sources.