GreedyBear Campaign Steals $1M With 650 Crypto Attack Tools

A malicious campaign has netted more than $1 million in stolen crypto using a trifecta of attack types through hundreds of browser extensions, websites and malware, says cybersecurity firm Koi Security.

Koi Security researcher Tuval Admoni said on Thursday that the malicious group, which the company dubbed “GreedyBear,” has “redefined industrial-scale crypto theft.”

“Most groups pick a lane — maybe they do browser extensions, or they focus on ransomware, or they run scam phishing sites — GreedyBear said, ‘why not all three?’ And it worked. Spectacularly,” Admoni said.

The types of attacks undertaken by GreedyBear have been used before, but the report highlights that cybercriminals are now deploying a range of complex scams to target crypto users, which Admoni said shows scammers have stopped “thinking small.”

Over 150 fake crypto browser extensions

More than $1 million has reportedly been stolen from cryptocurrency users from over 650 malicious tools specifically targeting crypto wallet users, Admoni said. 

The group has published over 150 malicious browser extensions to the Firefox browser marketplace, each designed to impersonate popular crypto wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet.

The malicious actors use an “Extension Hollowing” technique, first creating a legitimate extensions to bypass the marketplaces’ checks to later make them malicious.

Admoni explained that the malicious extensions directly capture wallet credentials from user input fields within fake wallet interfaces.

“This approach allows GreedyBear to bypass marketplace security by appearing legitimate during the initial review process, then weaponizing established extensions that already have user trust and positive ratings.”

Deddy Lavid, CEO of the cybersecurity firm Cyvers, told Cointelegraph that the GreedyBear campaign “shows how cybercriminals are weaponizing the trust users place in browser extension stores. Cloning popular wallet plugins, inflating reviews, and then silently swapping in credential-stealing malware.”

In early July, Koi Security identified 40 malicious Firefox extensions, suspecting Russian threat actors behind what it called the “Foxy Wallet” campaign. 

Crypto-themed malware 

The second arm of the group’s attacks focuses on crypto-themed malware, of which Koi Security uncovered almost 500 samples.

Credential stealers like LummaStealer specifically target crypto wallet information, while ransomware variants such as Luca Stealer are designed to demand crypto payments.

Most of the malware is distributed through Russian websites offering cracked or pirated software, Admoni said. 

A network of scam websites

The third attack vector in the trifecta is a network of fake websites posing as crypto-related products and services.

“These aren’t typical phishing pages mimicking login portals — instead, they appear as slick, fake product landing pages advertising digital wallets, hardware devices, or wallet repair services,” Admoni noted. 

Related: North Korean hackers targeting crypto projects with unusual Mac exploit

He said one server acts as a central hub for command-and-control, credential collection, ransomware coordination, and scam websites, “allowing the attackers to streamline operations across multiple channels.”

The campaign also shows signs of AI-generated code, enabling rapid scaling and diversification of crypto-targeting attacks, representing a new evolution in crypto-focused cybercrime.

“This isn’t a passing trend — it’s the new normal,” Admoni warned.

“These attacks exploit user expectations and bypass static defenses by injecting malicious logic directly into wallet UIs,” Lavid said before adding, “This underscores the need for stronger vetting by browser vendors, developer transparency, and user vigilance.”

Magazine: Philippines blocks big crypto exchanges, Coinbase scammer’s stash: Asia Express