A Russian hacking group known as GreedyBear has stolen over $1 million in cryptocurrency by launching a wave of malicious Firefox browser extensions and fake MetaMask wallet apps. These scams are highly sophisticated and have been active for at least five weeks, targeting unsuspecting users across the crypto space.
đ§ Whatâs Happening?
GreedyBear has deployed 150+ fake browser extensionsâmany of which were available on Firefoxâs official add-on store. These extensions are designed to look like helpful wallet tools or security apps, but theyâre actually built to steal your seed phrase, private keys, and other sensitive data.
Once installed, these extensions silently collect your wallet info and send it to the hackers. Victims lose access to their funds instantly, and recovery is nearly impossible.
How Theyâre Tricking People
The group isnât just relying on fake extensions. Theyâre also creating fake MetaMask wallet apps and phishing websites that mimic trusted platforms. One of their tactics includes fake savings ads that look like theyâre from legit companies like Wise. These ads redirect users to cloned sites that ask for wallet access or seed phrases.
Itâs a full-blown social engineering campaign, and itâs working.
Who Else Is Involved?
Authorities like the U.S. Department of Homeland Security have flagged GreedyBear as part of a larger network of Russian cybercrime groups. Others in this network include BlackSuit and Royal, both known for ransomware attacks and crypto theft.
These groups are evolving fastâusing smarter tools, better branding, and more convincing scams.
đĄď¸ What You Should Do Right Now
If you use Firefox or MetaMask, take action immediately:
- â Audit your browser extensions
Go to your browser settings and check every installed extension. If you donât recognize one, remove it.
- â Delete anything suspicious
Even if it looks legit, if you didnât install it yourself or itâs not from a verified source, get rid of it.
- â Verify URLs carefully
Always double-check the website address before entering wallet info. Fake sites often use slight misspellings or extra characters.
- â Use official wallet links only
Download wallets and extensions from the official websitesânot from ads, social media, or random links.
- â Never share your seed phrase
No legit company will ever ask for it. If someone does, itâs a scam.
Warnings from the Crypto Community
Platforms like KuCoin and CoinMarketCap are sounding the alarm:
Think your browser extensions are safe? Think again. Dozens of fake wallet add-ons were recently found on Firefoxâs official stores.â â @kucoincom
CoinMarketCap will NEVER DM you first. If you receive a message claiming to be from CMC & asking for funds, it's a scam!â â @CoinMarketCap
These warnings are part of a growing effort to educate users and prevent further losses.
đ Why This Matters
Crypto is built on trust and decentralizationâbut that also means youâre responsible for your own security. Hackers like GreedyBear exploit that trust by creating tools that look helpful but are actually dangerous.
The fact that these extensions made it onto Firefoxâs official store shows how sneaky and convincing they are. Itâs a wake-up call for everyone in the space.
đ Global Impact
This isnât just a one-off attack. Itâs part of a global surge in crypto-related cybercrime, especially from groups linked to Russia and Eastern Europe. These hackers are targeting:
- Retail investors
- NFT collectors
- DeFi users
- Crypto influencers
- Even institutional wallets
Theyâre using everything from browser exploits to fake customer support chats to drain wallets.
đ§ Stay Smart, Stay #SAFU
Hereâs how to protect yourself and your community:
â Use hardware wallets for large amounts
â Educate your friends and followers Clean up your browser regularly
â Test unknown tools in a sandbox wallet
â Follow trusted sources for updates
#CryptoScamAlert #MetaMaskHack #BrowserSecurity #PhishingScam
