A group of Russian hackers stole $1 million through fake crypto wallets.
According to a study by Koi Security, in recent months the Russian hacker group GreedyBear has significantly expanded its activities, taking cryptocurrency theft to an 'industrial level.' In five weeks, they managed to steal over $1 million, using a combination of 150 malicious Firefox extensions, nearly 500 infected executable files, and 'dozens' of phishing sites.
In its blog, Koi Security reported that hackers have focused on the mass distribution of fake versions of popular crypto wallets: MetaMask, Exodus, Rabby Wallet, TronLink.
The attack method is simple but effective: first, a harmless version of the extension is loaded, passing the check on the browser's marketplace, and then it is updated with malicious code — this technique is called Extension Hollowing.
As soon as the victim installs such an extension, it begins to steal the wallet credentials. This data is used to withdraw funds, often within minutes. To create an appearance of reliability, the attackers post fake positive reviews about their extensions.
According to Koi Security's Technical Director Idan Dardikman, the campaign through Firefox has become 'undoubtedly' the most profitable direction, bringing GreedyBear the majority of the stolen funds. Moreover, the scale has rapidly increased: from April to July 2025, they used about 40 extensions, while in the new wave — already 150.
A separate direction of attacks is Russian-speaking users. For them, GreedyBear distributes nearly 500 malicious executable files for Windows through Russian sites with pirated and repackaged software. Inside the program are password stealers, trojans, and even ransomware. Koi estimates this as a 'broad channel for malware delivery,' which can quickly change tactics as needed.
The third line of attack is phishing sites that imitate legitimate services in the crypto industry: digital and hardware wallets, platforms for recovering access to funds. Through them, hackers extract personal data and wallet keys.
A curious detail: almost all domains of GreedyBear's attacks are linked to a single IP address — 185.208.156.66. This, according to Dardikman, is a sign of tightly centralized control of the group. Such a scheme is characteristic of organized cybercrime, rather than state structures that use distributed infrastructure to avoid a single point of failure.
Experts believe that GreedyBear's motive is financial gain, rather than political goals. They warn: only install extensions from verified developers, avoid sites with pirated software, and for long-term storage of large sums, use hardware wallets, purchasing them exclusively from official manufacturer websites, as hackers create fake pages for such devices to steal both payment data and cryptocurrency.
According to Koi Security, GreedyBear does not plan to stop and will look for new ways to attack users around the world.
#cryptonews | @kriptaottk