Cybersecurity firm Koi Security has uncovered a large-scale attack campaign known as GreedyBear, which has stolen over $1 million worth of cryptocurrencies from unsuspecting users. The operation used dozens of fake Firefox extensions, hundreds of malicious Windows files, and sophisticated phishing websites to target crypto holders.
š§ Targeting Crypto Wallet Users Directly
At the heart of the attack was a network of over 150 malicious Firefox extensions impersonating popular wallets like MetaMask, TronLink, Exodus, and Rabby Wallet. These fake add-ons mimicked the appearance of real wallets and waited for users to input login credentials, which were then sent to the attackers.
The scammers began by publishing harmless-looking extensions, such as link sanitizers or YouTube downloaders, and gradually built up positive reviews. Once trusted, they secretly replaced them with malicious versions that kept the original review history ā making them look legitimate to new users.
These extensions acted as credential harvesters, capturing seed phrases, login data, and IP addresses, which were sent to a remote command center.
š£ Combining Malware, Extensions, and Phishing Websites
In addition to browser extensions, the group distributed nearly 500 malware files for Windows, often via pirated software websites. The toolkit included:
š¹ LummaStealer ā designed to steal wallet data stored on victimsā devices
š¹ Ransomware ā encrypting files and demanding crypto payments
š¹ Trojan backdoors ā allowing remote access for further attacks
GreedyBear also created fake cryptocurrency service websites that closely imitated legitimate ones. These sites posed as wallet services like Trezor and Jupiter, tricking users into providing seed phrases, private keys, and payment info. Some sites offered "wallet repair" or āhardware replacementsā but were designed purely for theft. Some domains remain dormant, waiting to be activated for future attacks.
š A Single Server Powers the Entire Operation
The entire campaign was coordinated through a single IP address: 185.208.156.66. This central server handled command-and-control communication, login data collection, ransomware coordination, and phishing website hosting.
This centralized infrastructure allowed attackers to manage all tactics efficiently ā from browser data collection to malware infection and phishing site activity ā under one digital roof.
š§Ŗ Beyond Firefox: Chrome and Others Also at Risk
Koi Security also found that GreedyBear had started expanding beyond Firefox. A Chrome extension called Filecoin Wallet used similar credential-stealing methods and was connected to the same malicious server infrastructure.
This proves that GreedyBear is testing its tactics across different browser ecosystems. Users of Chrome, Edge, and other browsers may be targeted in future campaigns. The group's cross-platform experimentation highlights their intent to scale globally.
Interestingly, signs suggest the group is using AI tools to enhance and automate the campaign. Generated artifacts within the malware indicate that AI may have been used to speed up development and help evade modern security detection systems across platforms.
š”ļø How to Protect Yourself
š¹ Avoid downloading unfamiliar extensions ā even from official stores
š¹ Never enter your seed phrase outside of official wallet apps
š¹ Use two-factor authentication and update passwords regularly
š¹ Watch for suspicious extension updates or icon changes
š¹ Keep your antivirus software and operating system up to date
#CryptoSecurity , #phishingscam , #BlockchainSecurity , #CyberSecurity , #CryptoNews
Stay one step ahead ā follow our profile and stay informed about everything important in the world of cryptocurrencies!
Notice:
,,The information and views presented in this article are intended solely for educational purposes and should not be taken as investment advice in any situation. The content of these pages should not be regarded as financial, investment, or any other form of advice. We caution that investing in cryptocurrencies can be risky and may lead to financial losses.ā