🚨 “GreedyBear’s $1M Firefox Crypto Heist” – Hackers Unleash 150 Weaponized Extensions
🦠 Industrial-Scale Cybercrime:
Russian hacking group GreedyBear has supercharged its operations, deploying 150 malicious Firefox extensions, nearly 500 infected executables, and dozens of phishing sites to steal over $1 million in just five weeks, according to cybersecurity firm Koi Security.
🦊 Firefox – The Gold Mine:
Their most profitable tactic? Fake crypto wallet extensions for popular wallets like MetaMask, Exodus, Rabby, and TronLink.
🕵️♂️ First, harmless versions are uploaded to bypass security.
💣 Later, malicious code is added via Extension Hollowing.
⭐ Fake reviews boost credibility.
🔓 Once installed, they steal wallet credentials and crypto funds.
💻 Two Fronts, Two Targets:
🌍 Firefox scam → Targets global/English-speaking victims.
🇷🇺 Malicious Windows executables → Targets Russian-speaking users via pirated software sites, spreading ransomware, trojans, and credential stealers.
🎭 Phishing, but Make It Look Legit
🎣 GreedyBear also operates fake crypto service websites to trick victims into handing over wallet details and payment info.
📡 One IP to Rule Them All:
🛰 Almost all attack domains connect to IP: 185.208.156.66, serving as a central hub—a sign of tight criminal control, not state-sponsored ops.
🛡 How to Stay Safe:
🛒 Install extensions only from verified developers with long track records.
🚫 Avoid pirated software sites.
🔐 Use hardware wallets for large holdings—buy only from official manufacturer sites.
📌 Takeaways for Non-Tech Readers:
GreedyBear is a large online scam group. They put bad code in fake browser tools, write fake good reviews, and then steal your money or personal information.
Only download from trusted places and avoid offers that look “too good to be true.” Use simple internet safety rules.