A new cybercrime operation called GreedyBear has looted over $1 million in cryptocurrency through an elaborate scheme involving malicious browser extensions, cracked software, and deceptive crypto-themed websites. According to cybersecurity researchers at Lookout, this campaign represents one of the most coordinated and multifaceted threats targeting digital asset holders in recent months.
Fake Wallet Extensions Flood Browser Stores
GreedyBear’s primary weapon is a wave of over 150 fake browser extensions uploaded to the Mozilla Firefox Add-ons store. These extensions impersonate popular crypto wallets such as MetaMask, Rabby, TronLink, and Exodus. At least one fake extension also managed to slip past Google Chrome’s vetting process.
The attackers used a clever tactic known as “extension hollowing.” Initially, the extensions appeared harmless and even featured fake positive reviews to establish credibility. Once approved, malicious code was silently added in updates, allowing the extensions to intercept and exfiltrate users’ wallet credentials.
Coordinated Infrastructure Links Multiple Attack Vectors
What sets GreedyBear apart is its use of three distinct attack vectors that all feed into the same infrastructure:
- Fake extensions on Firefox and Chrome
- Malicious executables distributed via cracked software sites
- Scam websites pretending to offer wallet repair or crypto services
All channels direct victims to the same command-and-control server (IP: 185.208.156.66), tying the campaign’s components together and confirming its centralized coordination.
AI-Enhanced Cybercrime at Scale
Investigators also suspect that artificial intelligence tools may have played a role in the development and deployment of the campaign. The scale and speed at which the malicious extensions were created suggest automation, likely assisted by GenAI technologies.
This is a full-fledged, multi-platform operation optimized for reach and speed.
How to Stay Safe
Crypto users should remain cautious and follow basic hygiene practices to avoid falling victim to similar attacks:
- Avoid installing unfamiliar browser extensions, even if they appear well-rated.
- Never download cracked or pirated software, as it is often bundled with malware.
- Use hardware wallets and secure backups instead of browser-based wallets alone.
- Regularly review extension permissions and uninstall anything unnecessary.
- Stay alert to fake websites offering wallet fixes or crypto utilities.
Final Thoughts
The GreedyBear campaign demonstrates how cybercriminals are evolving, leveraging browser extension ecosystems, fake software tools, and possibly AI to steal cryptocurrency at scale. As attacks grow more sophisticated, crypto users must remain vigilant, use secure tools, and question anything that seems too convenient or well-reviewed to be true.
