A sophisticated cyber theft campaign has been uncovered, where attackers used fake browser extensions to steal cryptocurrency from users, primarily by mimicking trusted wallet brands like MetaMask, TronLink, Exodus, and Rabby Wallet, among others.
The operation, nicknamed GreedyBear, targeted Mozilla Firefox users by quietly distributing over 150 rogue add-ons. Researchers estimate that more than $1 million in cryptocurrency has been siphoned from victims to date. These were disguised as helpful wallet tools, but once installed, they siphoned off login details, IP addresses, and other sensitive information, sending it all back to a command server.
In this campaign, attackers used “extension hollowing”: uploading a harmless extension that passes Mozilla’s review, bolstered by fake user reviews, then later updating it with malicious code once credibility is established.
This isn’t the first time something like this has happened. GreedyBear appears to be an expanded evolution of the earlier Foxy Wallet campaign, which planted fewer than 40 malicious browser extensions with similar credential-stealing capabilities.
Researchers also traced similar activity to pirated software websites, mostly in Russian, where fake crypto repair tools were promoted. The broader campaign distributes malicious executables, including information stealers and ransomware, through cracked and pirated software sites to further compromise victims. These tools trick users into giving up their wallet recovery phrases, handing over the keys to their funds. The group’s techniques go beyond browser add-ons. They operate malware distribution pipelines through cracked software sites and run phishing portals disguised as crypto wallet support services.
These phishing portals deceive users into surrendering wallet recovery seeds or payment information, leading to credential theft and financial loss. All three attack vectors, like malicious extensions, executables spread on piracy sites, and fake repair tools, were linked to the same command-and-control server, an IP address that coordinated the campaign. Analysis indicates attackers used AI-powered tools to develop malicious extension code and automate the creation of scam websites and fake promotional content, enabling rapid scaling across multiple platforms.
Researchers have also identified traces of the same malicious infrastructure on Google Chrome, including a Filecoin Wallet extension that communicates with the same command‑and‑control server as the Firefox add‑ons, confirming that the campaign now targets multiple browsers. Related activity has also been noted involving fraudulent Ethereum trading bots promoted through AI-generated YouTube videos, which drain user wallets via malicious smart contracts.
Security researchers say browser makers need to take a harder look at how extension updates are reviewed after they’ve been approved. For everyday users, that means treating any add‑on, particularly those linked to cryptocurrency wallets, with caution. It’s also wise to steer clear of software or tools offered outside official channels and to be suspicious of unsolicited “support” pages or services claiming they can repair a wallet.
